openclaw-sentry

# OpenClaw Sentry

Scans your agent workspace for leaked secrets — API keys, tokens, passwords, private keys, and credentials that should never be in plain text.

## The Problem

Agent workspaces accumulate secrets: API keys in config files, tokens in memory logs, passwords in environment files. A single leaked credential can compromise your entire infrastructure. Existing secret scanners work on git repos — nothing watches the agent workspace itself.


## Commands

### Full Scan

Scan all workspace files for secrets and high-risk files.

```bash
python3 {baseDir}/scripts/sentry.py scan --workspace /path/to/workspace
```

### Check Single File

Check a specific file for secrets.

```bash
python3 {baseDir}/scripts/sentry.py check MEMORY.md --workspace /path/to/workspace
```

### Quick Status

One-line summary of secret exposure risk.

```bash
python3 {baseDir}/scripts/sentry.py status --workspace /path/to/workspace
```

## What It Detects

| Provider | Patterns |
|----------|----------|
| **AWS** | Access keys (AKIA...), secret keys |
| **GitHub** | PATs (ghp_, gho_, ghs_, ghr_, github_pat_) |
| **Slack** | Bot/user tokens (xox...), webhooks |
| **Stripe** | Secret keys (sk_live_), publishable keys |
| **OpenAI** | API keys (sk-...) |
| **Anthropic** | API keys (sk-ant-...) |
| **Google** | API keys (AIza...), OAuth secrets |
| **Azure** | Storage account keys |
| **Generic** | API keys, secrets, passwords, bearer tokens, connection strings |
| **Crypto** | PEM private keys, .key/.pem/.p12 files |
| **Database** | PostgreSQL/MySQL/MongoDB/Redis URLs with credentials |
| **JWT** | JSON Web Tokens |
| **Environment** | .env files with variables |

## Exit Codes

- `0` — Clean, no secrets found
- `1` — Warnings (high-risk files detected)
- `2` — Critical secrets found

## No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

## Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the A...

# OpenClaw Sentry

Secret scanner for [OpenClaw](https://github.com/openclaw/openclaw), [Claude Code](https://docs.anthropic.com/en/docs/claude-code), and any Agent Skills-compatible tool.

Scans workspace files for leaked API keys, tokens, passwords, private keys, and credentials — the secrets that agent workspaces silently accumulate.


## The Problem

Agent workspaces accumulate secrets: API keys in config files, tokens in memory logs, passwords in environment files. A single leaked credential can compromise your entire infrastructure. Existing secret scanners work on git repos — nothing watches the agent workspace itself.

## Install

```bash
# Clone
git clone https://github.com/AtlasPA/openclaw-sentry.git

# Copy to your workspace skills directory
cp -r openclaw-sentry ~/.openclaw/workspace/skills/
```

## Usage

```bash
# Full secret scan
python3 scripts/sentry.py scan

# Check a single file
python3 scripts/sentry.py check MEMORY.md

# Quick status
python3 scripts/sentry.py status
```

All commands accept `--workspace /path/to/workspace`. If omitted, auto-detects from `$OPENCLAW_WORKSPACE`, current directory, or `~/.openclaw/workspace`.

## What It Detects

- **AWS** — Access keys (AKIA...), secret access keys
- **GitHub** — Personal access tokens (ghp_, gho_, ghs_, ghr_, github_pat_)
- **Slack** — Bot/user tokens (xox...), webhook URLs
- **Stripe** — Secret keys (sk_live_), publishable keys (pk_live_)
- **OpenAI** — API keys (sk-...)
- **Anthropic** — API keys (sk-ant-...)
- **Google** — API keys (AIza...), OAuth client secrets
- **Azure** — Storage account keys
- **Generic** — API keys, secrets, passwords, bearer tokens, connection strings
- **Private Keys** — PEM files, .key/.pem/.p12/.pfx extensions
- **Database URLs** — PostgreSQL, MySQL, MongoDB, Redis with credentials
- **JWT Tokens** — JSON Web Tokens in plain text
- **Environment Files** — .env files with variables
- **.gitignore gaps** — Missing patterns for common secret files


|---------|------|--...