credential-hygiene-validator

Checks whether credentials and tokens are stored safely. Validates file permissions, plaintext exposure, git repo contamination, log redaction coverage, and token rotation status. Works with OpenClaw and general dotfile directories.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "credential-hygiene-validator" with this command: npx skills add Techris93/credential-hygiene-validator

Credential Hygiene Validator

Checks whether credentials and tokens in config files are stored with reasonable hygiene. Catches common mistakes before they become incidents.

What it checks

  1. File permissions -- config files should be 600 or 700, not world-readable
  2. Plaintext tokens -- scans for hex tokens, JWTs (base64url with dots), Bearer strings, and API keys
  3. Git repo contamination -- whether the config directory sits inside a git working tree
  4. Gitignore coverage -- whether .gitignore excludes credential paths
  5. Log file leaks -- tokens appearing in log output (checks all formats: hex, JWT, Bearer per RFC 6750)
  6. Token age -- warns if tokens have not been rotated recently
  7. Atomic write safety -- checks if config backup exists (indicator of safe write patterns)

When to use it

  • After setting up a new tool or service
  • Before pushing dotfiles to a public repo
  • As part of a regular security hygiene review
  • When onboarding a new machine
  • After rotating credentials, to confirm the old token is gone

Example prompts

  • "Check if my OpenClaw tokens are stored safely"
  • "Audit my dotfiles for leaked credentials"
  • "Is my config directory in a git repo?"
  • "Check file permissions on my credentials"
  • "Are my tokens showing up in any log files?"

Checks run

# 1. File permissions
stat -c '%a %n' ~/.openclaw/openclaw.json
# Expected: 600

# 2. Plaintext tokens (full token68 charset per RFC 7235)
grep -rnP '("token"\s*:\s*")[^"]{8,}"|[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/ --include="*.json" 2>/dev/null

# 3. Git repo check
git -C ~/.openclaw rev-parse --is-inside-work-tree 2>/dev/null
# Expected: error (not in a repo)

# 4. Gitignore coverage
grep -q '.openclaw' ~/.gitignore 2>/dev/null && echo "covered" || echo "not covered"

# 5. Log file leaks (full token68 charset)
grep -rnP '[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/logs/ --include="*.log" 2>/dev/null

# 6. Token age (check config file modification time)
find ~/.openclaw/openclaw.json -mtime +90 -print 2>/dev/null
# If output: token has not been rotated in 90+ days

# 7. Backup file exists (atomic write indicator)
ls ~/.openclaw/openclaw.json.bak 2>/dev/null && echo "backup present" || echo "no backup"

Notes

  • Read-only checks, does not modify any files
  • Token patterns match hex, JWT (header.payload.signature), base64url, and Bearer headers case-insensitively per RFC 6750
  • Works with any tool that stores credentials in dotfiles
  • Aligns with T-ACCESS-003 in the OpenClaw threat model

References

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

Ai Competitor Analyzer

提供AI驱动的竞争对手分析,支持批量自动处理,提升企业和专业团队分析效率与专业度。

Registry SourceRecently Updated
062
yang1002378395-cmyk
General

Ai Data Visualization

提供自动化AI分析与多格式批量处理,显著提升数据可视化效率,节省成本,适用企业和个人用户。

Registry SourceRecently Updated
041
yang1002378395-cmyk
General

Ai Cost Optimizer

提供基于预算和任务需求的AI模型成本优化方案,计算节省并指导OpenClaw配置与模型切换策略。

Registry SourceRecently Updated
037
yang1002378395-cmyk