首页龙虾技能列表 › Environment Secrets Rotator

Environment Secrets Rotator

v1.0.0

Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows.

0· 195·0 当前·0 累计
by @derick001 (Derick)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/14
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
Tool mostly does what it says (rotate .env secrets and emit Vault CLI commands), but the implementation persistently stores plaintext rotated secrets (history file in the user home) and the SKILL.md/behavior mismatch about 'optional' history raises a privacy/persistence concern you should review before use.
评估建议
This skill appears to perform local .env secret rotation as advertised, but it will create backups and — importantly — record rotation history in a file under your home directory (~/.env-rotation-history.json). That history may contain plaintext secret values and appears to be recorded on every non-dry-run rotation. Before installing or running on production secrets: (1) review the script's _record_history implementation and confirm whether and how secrets are stored; (2) run with --dry-run and ...
详细分析 ▾
用途与能力
Name/description align with code and instructions: the script rotates keys in .env files, generates Vault CLI commands, supports algorithms, backups, dry-run, validation and batch operations. No unrelated network or cloud credentials are requested.
指令范围
SKILL.md instructs only local .env manipulation and Vault command generation, which matches most of the code; however the runtime instructions do not clearly call out that rotations will be recorded persistently to a history file in the user's home directory. The code calls self._record_history(...) on every non-dry-run rotation, which could store sensitive values unless explicitly disabled — this is broader persistence than the SKILL.md emphasizes.
安装机制
No install script or network downloads are used; the skill is instruction-only with an included Python script that requires only python3 and standard library modules. Nothing in the install surface is surprising.
凭证需求
The skill requests no environment variables or external credentials (proportional), but it writes a history file to the user's home (~/.env-rotation-history.json) and creates backups next to edited files. Persisting plaintext rotated secrets in the home directory/backups is a sensitive capability not adequately highlighted in the description; this raises privacy risk if left enabled by default.
持久化与权限
The skill creates backups in the target directory and a history file in the user's home directory. Although it does not modify other skills or system-wide settings, the persistent storage of secret values (and the location in the home directory) is an elevated persistence footprint that should be disclosed and controllable.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/13

Initial release of env-secrets-rotator. - Rotate secrets in .env files with random value generation (hex, base64, uuid, alphanumeric) - Backup original files before modification - Preview changes using dry-run mode - Generate HashiCorp Vault CLI commands for rotated secrets - Batch process multiple keys/files and validate .env files - Optional rotation history tracking

● 可疑

安装命令 点击复制

官方npx clawhub@latest install env-secrets-rotator
镜像加速npx clawhub@latest install env-secrets-rotator --registry https://cn.clawhub-mirror.com

技能文档

What This Does

A CLI tool to help rotate secrets in environment files and generate commands for secret managers like HashiCorp Vault. Securely generates new random values for secrets, updates .env files, and provides rotation workflows for development and production environments.

Key features:

  • Rotate secrets in .env files - Generate new random values for specified keys
  • Multiple generation algorithms - Hex, base64, UUID, custom length
  • Backup original files - Create backups before modification
  • Dry-run mode - Preview changes without modifying files
  • Generate Vault commands - Output HashiCorp Vault CLI commands for secret rotation
  • Batch processing - Rotate multiple keys across multiple files
  • Validation - Check .env file format and key existence
  • Rotation history - Track previous values (optional)

How To Use

Basic rotation:

./scripts/main.py rotate --file .env --keys API_KEY,DB_PASSWORD

With custom generation:

./scripts/main.py rotate --file .env --keys API_KEY --algorithm base64 --length 32

Dry run (preview):

./scripts/main.py rotate --file .env --keys "" --dry-run

Generate Vault commands:

./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/myapp

Full command reference:

./scripts/main.py help

Commands

  • rotate: Rotate secrets in environment files
- --file: Path to .env file (required) - --keys: Comma-separated keys to rotate, or "" for all (default: "") - --algorithm: Random generation algorithm: hex, base64, uuid, alphanumeric (default: hex) - --length: Length of generated secret (default: 32) - --backup: Create backup before modifying (default: true) - --dry-run: Preview changes without modifying files - --output: Write to new file instead of modifying original
  • vault: Generate HashiCorp Vault commands
- --keys: Comma-separated keys to generate commands for - --path: Vault secret path (e.g., "secret/data/myapp") - --engine: Vault secrets engine (default: "kv") - --method: Vault method: patch, put (default: "patch")
  • validate: Validate .env file
- --file: Path to .env file - --strict: Require all values to be non-empty
  • history: Show rotation history (if enabled)
- --file: Path to .env file - --key: Specific key to show history for

Output

Rotation output:

{
  "file": ".env",
  "rotated": ["API_KEY", "DB_PASSWORD"],
  "new_values": {
    "API_KEY": "a1b2c3d4e5f6...",
    "DB_PASSWORD": "x9y8z7w6v5u4..."
  },
  "backup": ".env.backup.20260311",
  "vault_commands": [
    "vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...",
    "vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4..."
  ]
}

Vault commands output:

# Generated Vault commands for secret rotation:
vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...
vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4...

Limitations

  • No actual Vault integration - Only generates commands; you must run them manually
  • Local files only - Cannot rotate secrets in remote secret managers
  • No key distribution - Does not distribute new secrets to services
  • Basic .env format - Supports simple KEY=VALUE format; no multiline or complex parsing
  • No encryption - Generated secrets are shown in plaintext in output
  • History tracking optional - Requires enabling and may store sensitive data

Security Considerations

  • Always review generated values before use
  • Use --dry-run to preview changes
  • Backups are created by default
  • Generated secrets are cryptographically random (using Python's secrets module)
  • Consider using a real secret manager for production secrets

Examples

Rotate all secrets in .env file: 

./scripts/main.py rotate --file .env --keys "" --backup true

Generate Vault commands for specific keys: 

./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/production

Validate .env file before rotation: 

./scripts/main.py validate --file .env --strict

Rotate with custom base64 secrets: 

./scripts/main.py rotate --file .env --keys JWT_SECRET --algorithm base64 --length 64

Installation Notes

Uses Python's built-in secrets module for cryptographically secure random generation. No external dependencies required.

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务