openclaw-vault

# OpenClaw Vault

Protects your credential lifecycle — not just finding secrets in source code (that's what Sentry does), but tracking how credentials are exposed through services, permissions, history, configs, containers, and time.

## Why This Matters

Credentials don't just leak through source code. They leak through:
- **Permissions** — .env files readable by every user on the system
- **Shell history** — passwords and tokens visible in `.bash_history`
- **Git config** — credentials embedded in remote URLs
- **Config files** — hardcoded secrets in JSON/YAML/TOML/INI configs
- **Log files** — tokens accidentally logged during debugging
- **Docker configs** — secrets baked into container images
- **Staleness** — credentials that haven't been rotated in months

This skill watches the full credential lifecycle. Sentry finds secrets in files. Vault finds secrets that are *exposed*.


## Commands

### Full Credential Audit

Comprehensive credential exposure audit: permission checks, shell history, git config, config file scanning, log file scanning, gitignore coverage, and staleness detection.

```bash
python3 {baseDir}/scripts/vault.py audit --workspace /path/to/workspace
```

### Exposure Check

Detect credential exposure vectors: misconfigured permissions, public directory exposure, git history risks, Docker credential embedding, shell alias leaks, and URL query parameter credentials in code.

```bash
python3 {baseDir}/scripts/vault.py exposure --workspace /path/to/workspace
```

### Credential Inventory

Build a structured inventory of all credential files in the workspace. Categorizes by type (API key, database URI, token, certificate, SSH key, password), tracks age, and flags stale or exposed credentials.

```bash
python3 {baseDir}/scripts/vault.py inventory --workspace /path/to/workspace
```

### Quick Status

One-line summary: credential count, exposure count, staleness warnings.

```bash
python3 {baseDir}/scripts/vault.py status --workspace /path/to/workspac...

# OpenClaw Vault

Credential lifecycle protection for [OpenClaw](https://github.com/openclaw/openclaw), [Claude Code](https://docs.anthropic.com/en/docs/claude-code), and any Agent Skills-compatible tool.

Audits credential exposure, detects misconfigured permissions, inventories all secrets, and identifies stale credentials needing rotation — the credential lifecycle layer that secret scanners miss.


## The Problem

Secret scanners find credentials in source code. But credentials also leak through misconfigured file permissions, shell history, git configs, Docker images, log files, and simple neglect (stale credentials that haven't been rotated in months).

Nothing watches the *credential lifecycle* — how credentials are stored, exposed, aged, and transmitted. This skill does.

## Install

```bash
# Clone
git clone https://github.com/AtlasPA/openclaw-vault.git

# Copy to your workspace skills directory
cp -r openclaw-vault ~/.openclaw/workspace/skills/
```

## Usage

```bash
# Full credential audit
python3 scripts/vault.py audit

# Check exposure vectors
python3 scripts/vault.py exposure

# Credential inventory
python3 scripts/vault.py inventory

# Quick status
python3 scripts/vault.py status
```

All commands accept `--workspace /path/to/workspace`. If omitted, auto-detects from `$OPENCLAW_WORKSPACE`, current directory, or `~/.openclaw/workspace`.

## What It Detects

### Credential Audit
- `.env` files with world-readable or group-readable permissions
- Credentials leaked in shell history (`.bash_history`, `.zsh_history`, `.python_history`)
- Credentials embedded in git config (remote URLs, plaintext credential helpers)
- Hardcoded credentials in config files (JSON, YAML, TOML, INI)
- Credentials accidentally logged in `.log` files
- Missing `.gitignore` patterns for credential files
- Stale credential files older than 90 days (rotation needed)

### Exposure Vectors
- `.env` files without restrictive permissions
- Credential files in publicly accessible director...