📦 OpenClaw Secrets Hygiene — OpenClaw 密钥卫生管理

v1.0.0

协调网关重启、转换明文凭证为 SecretRef 格式、验证配置准确性，管理和审计 OpenClaw 密钥。

0· 54·0 当前·0 累计

by @jlab1201·MIT-0

生产力工具

下载技能包

License

MIT-0

最后更新

2026/4/12

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

该技能的指令、文件编辑和 CLI 使用与其声明的审计和迁移 OpenClaw 密钥的目的相符；SKILL.md 中没有意外请求与任务无关的系统访问或外部凭证。

评估建议

该技能看起来适合用于迁移和审计 OpenClaw 密钥，但请谨慎操作：在进行更改之前备份所有 OpenClaw 配置文件（openclaw.json、auth-profiles.json、models.json、~/.openclaw）；首先在预发环境中审查并运行提供的脚本/编辑，以避免网关停机；将 OPENCLAW_GATEWAY_TOKEN 和任何 API 密钥视为敏感信息：安全地提供它们，不要粘贴到聊天日志中，并确保 ~/.openclaw/secrets.json 受文件权限保护（chmod 600）；确认您将运行的本地 'openclaw' CLI 是您环境的合法二进制文件；如果您有多个代理，请先在一个代理上测试顺序网关重启方法，然后再进行批量操作；如果您想要更高的保证，请在生产环境中应用这些指令和任何脚本之前，向技能作者/来源请求签名或审查过的版本。...

详细分析 ▾

✓ 用途与能力

名称/描述（密钥卫生、网关协调、SecretRef 转换）与指令相符：审计、创建 ~/.openclaw/secrets.json、更新 openclaw.json/auth-profiles.json/models.json、运行 openclaw CLI 命令和网关健康检查。请求的操作是您对密钥迁移/审计工具的预期操作。

ℹ 指令范围

SKILL.md 指示代理运行本地 OpenClaw CLI 命令（openclaw secrets audit/reload/configure）、编辑 ~/.openclaw 和代理目录下的 OpenClaw 配置文件、对 localhost 运行 curl 检查网关健康状况，以及可选地测试外部集成。这些都在声明的用途范围内。注意：指令包含一个就地读取/写入 models.json 的示例 Python 脚本——用户应审查这些更改并在安全/预发环境中运行它们。

✓ 安装机制

无安装规范和代码文件——纯指令技能。这最大限度地减少了磁盘写入和任意代码安装风险。

⚠ 凭证需求

注册表元数据声明没有必需的环境变量，但 SKILL.md 指示设置 OPENCLAW_GATEWAY_TOKEN 用于 CLI 操作，并期望将密钥（openai-api-key、brave-api-key 等）存储在 ~/.openclaw/secrets.json 中。令牌和存储的 API 密钥是敏感的；该技能没有声明或记录必需的环境变量或如何提供和保护令牌。此外，指令可能需要对代理目录（~/.openclaw/agents/*）的读写访问，其中可能包含其他敏感数据——请确认您要授予该访问权限。

ℹ 持久化与权限

该技能不是常驻的，是用户可调用的（正常）。它需要修改配置文件和协调网关重启的能力——如果应用不当可能会中断服务。它不请求更改其他技能或系统级代理设置的权限，除了其自己的配置文件。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/11

初始版本

● 无害

安装命令

点击复制

官方npx clawhub@latest install openclaw-secrets-hygiene

镜像加速npx clawhub@latest install openclaw-secrets-hygiene --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

技能文档

Description

OpenClaw-specific secrets management and credential hygiene based on real implementation experience. Handles OpenClaw's unique patterns: gateway coordination, SecretRef format nuances, auth-profiles.json vs models.json differences, and sequential execution to avoid gateway conflicts.

When to Use

Auditing OpenClaw deployments for plaintext credentials
Migrating plaintext secrets to OpenClaw secrets management
Troubleshooting unresolved SecretRef objects
Coordinating gateway operations during secrets integration
Developing security policies for OpenClaw deployments

Inputs

Optional: Path to OpenClaw configuration directory (default: ~/.openclaw)
Optional: Agent IDs to audit (default: all agents)
Optional: Skip gateway operations flag (for analysis-only mode)

Outputs

Audit report: Plaintext findings categorized by risk level
Migration plan: Step-by-step migration instructions
Configuration templates: Updated files with secret references
Testing checklist: Validation steps for secrets integration
Troubleshooting guide: Common issues and solutions

Key Learnings from Implementation

1. Gateway Coordination is Critical

Problem: Parallel gateway restarts cause connection loss (gateway closed (1012): service restart)
Solution: Sequential execution with only one subagent authorized for gateway operations
Pattern: Analysis → Preparation → Application → Testing (single gateway restart)

2. OpenClaw SecretRef Format Nuances

JSON Pointer format: References use /secret-name (JSON Pointer with leading slash)
secrets.json keys: Use "secret-name" (NO leading slash in key names)
Correct pattern: Reference "/secret-name" → Key "secret-name" in secrets.json
Provider reference: Must match filemain provider name in openclaw.json

3. Different File Types, Different Approaches

openclaw.json: Gateway token, external API keys - use SecretRef objects
auth-profiles.json: Authentication profiles - migrate to SecretRef objects
models.json: Model provider API keys - use placeholder "secretref-managed" string (OpenClaw resolves to secrets)

4. Testing Patterns

Gateway health: curl http://127.0.0.1:18789/health
Secrets audit: openclaw secrets audit
Secrets reload: openclaw secrets reload (may need OPENCLAW_GATEWAY_TOKEN env var)
Validation: Plaintext count reduction, unresolved reference resolution

Implementation Workflow

Phase 1: Audit & Analysis

# 1. Initial audit openclaw secrets audit # 2. Categorize findings # - openclaw.json: Gateway token, external API keys # - auth-profiles.json: Authentication profiles # - models.json: Model provider API keys

# 3. Risk assessment # High: Gateway token, external API keys # Medium: Authentication profiles # Low: Model provider keys (agent-directory protected)

Phase 2: Preparation

# 1. Create centralized secrets file mkdir -p ~/.openclaw cat > ~/.openclaw/secrets.json << 'EOF' { "gateway-token": "REPLACE_WITH_TOKEN", "brave-api-key": "REPLACE_WITH_KEY", "openai-api-key": "REPLACE_WITH_KEY", "agent-openrouter-key": "REPLACE_WITH_KEY" } EOF chmod 600 ~/.openclaw/secrets.json

# 2. Update openclaw.json with secret references # Change plaintext values to: # { # "source": "file", # "provider": "filemain", # "id": "/secret-name" # }

Phase 3: Agent Configuration Updates

# 1. Update auth-profiles.json files # Change "key": "plaintext" to: # "key": { # "source": "file", # "provider": "filemain", # "id": "/secret-name" # }

# 2. Handle models.json API keys # Use placeholder string (OpenClaw will resolve from secrets): # "apiKey": "secretref-managed" # NOT SecretRef objects (causes unresolved references) # OpenClaw replaces placeholder with actual secret at runtime

Phase 4: Testing & Validation

# 1. Set gateway token for CLI operations export OPENCLAW_GATEWAY_TOKEN="your-token" # 2. Reload secrets openclaw secrets reload # 3. Verify audit improvement openclaw secrets audit # 4. Test gateway functionality curl http://127.0.0.1:18789/health

# 5. Test external integrations (if applicable) # Brave search, model API calls, etc.

Common Issues & Solutions

Issue 1: "JSON pointer segment does not exist"

Cause: Secret reference format mismatch

Solution: Ensure secrets.json has key secret-name (no slash) for reference /secret-name

Issue 2: "gateway closed (1012): service restart"

Cause: Parallel gateway operations

Solution: Sequential execution, single gateway restart point

Issue 3: "unresolved SecretRef object; regenerate models.json"

Cause: models.json contains SecretRef objects instead of placeholder strings

Solution: Replace SecretRef objects with "secretref-managed" placeholder string

Emergency fix: Use Python/script to convert {"source": "file", ...} → "secretref-managed"

import json
with open('models.json', 'r') as f:
    data = json.load(f)
if 'providers' in data:
    for provider in data['providers']:
        if 'apiKey' in data['providers'][provider]:
            if isinstance(data['providers'][provider]['apiKey'], dict):
                data['providers'][provider]['apiKey'] = 'secretref-managed'with open('models.json', 'w') as f:
    json.dump(data, f, indent=2)

Issue 4: "requires interactive TTY"

Cause: openclaw secrets configure needs terminal

Solution: Manual configuration or environment variable workaround

Security Considerations

Risk Levels

High: Gateway token, external API keys (Brave, etc.)
Medium: Authentication profiles
Low: Model provider keys (protected in agent directories)

Acceptable Deferred Items

models.json API keys may remain plaintext if:

- Files are in protected agent directories (~/.openclaw/agents/*/agent/) - No world-readable permissions - Documented as technical debt

Documentation Requirements

Migration plan with timestamps
Policy framework for ongoing management
Regular audit schedule (weekly recommended)

Templates & Examples

secrets.json Template

{
  "gateway-token": "REPLACE",
  "brave-api-key": "REPLACE",
  "openai-api-key": "REPLACE",
  "agent-openrouter-key": "REPLACE"
}

auth-profiles.json Update Template

{
  "version": 1,
  "profiles": {
    "provider:profile": {
      "type": "api_key",
      "provider": "provider",
      "key": {
        "source": "file",
        "provider": "filemain",
        "id": "/secret-name"
      }
    }
  }
}

Success Metrics

Plaintext findings reduced by 70%+
Gateway operational with secret token
External integrations working with secret keys
Documentation complete (migration plan, policies)
Regular audit schedule established

Skill Author: Based on real OpenClaw security remediation experience by jlab1201 (2026-04-11)

Lessons Incorporated: Gateway coordination, OpenClaw SecretRef patterns, emergency resolution techniques

数据来源：ClawHub ↗ · 中文优化：龙虾技能库