|
| 1 | +--- |
| 2 | +name: config-encryption-auditor |
| 3 | +version: "1.0" |
| 4 | +category: openclaw-native |
| 5 | +description: Scans OpenClaw config directories for plaintext API keys, tokens, and secrets in unencrypted files — flags exposure risks and suggests encryption or environment variable migration. |
| 6 | +stateful: true |
| 7 | +cron: "0 9 * * 0" |
| 8 | +--- |
| 9 | + |
| 10 | +# Config Encryption Auditor |
| 11 | + |
| 12 | +## What it does |
| 13 | + |
| 14 | +OpenClaw stores configuration in `~/.openclaw/` — API keys, channel tokens, provider credentials. By default, these are plaintext YAML or JSON files readable by any process on your machine. |
| 15 | + |
| 16 | +OpenLobster solved this with AES-GCM encrypted config files. We can't change OpenClaw's config format, but we can audit it — scanning for exposed secrets, flagging unencrypted credential files, and suggesting migrations to environment variables or encrypted vaults. |
| 17 | + |
| 18 | +## When to invoke |
| 19 | + |
| 20 | +- Automatically, every Sunday at 9am (cron) |
| 21 | +- After initial OpenClaw setup |
| 22 | +- Before deploying to shared infrastructure |
| 23 | +- After any config change that adds new API keys |
| 24 | + |
| 25 | +## Checks performed |
| 26 | + |
| 27 | +| Check | Severity | What it detects | |
| 28 | +|---|---|---| |
| 29 | +| PLAINTEXT_API_KEY | CRITICAL | API key patterns in config files (sk-, AKIA, ghp_, etc.) | |
| 30 | +| PLAINTEXT_TOKEN | HIGH | OAuth tokens, bearer tokens, passwords in config | |
| 31 | +| WORLD_READABLE | HIGH | Config files with 644/755 permissions (readable by all users) | |
| 32 | +| NO_GITIGNORE | MEDIUM | Config directory not gitignored (risk of committing secrets) | |
| 33 | +| ENV_AVAILABLE | INFO | Secret could be migrated to environment variable | |
| 34 | + |
| 35 | +## How to use |
| 36 | + |
| 37 | +```bash |
| 38 | +python3 audit.py --scan # Full audit |
| 39 | +python3 audit.py --scan --critical-only # CRITICAL findings only |
| 40 | +python3 audit.py --fix-permissions # chmod 600 on config files |
| 41 | +python3 audit.py --suggest-env # Print env var migration guide |
| 42 | +python3 audit.py --status # Last audit summary |
| 43 | +python3 audit.py --format json |
| 44 | +``` |
| 45 | + |
| 46 | +## Procedure |
| 47 | + |
| 48 | +**Step 1 — Run the audit** |
| 49 | + |
| 50 | +```bash |
| 51 | +python3 audit.py --scan |
| 52 | +``` |
| 53 | + |
| 54 | +**Step 2 — Fix CRITICAL issues first** |
| 55 | + |
| 56 | +For each PLAINTEXT_API_KEY finding, migrate the key to an environment variable: |
| 57 | + |
| 58 | +```bash |
| 59 | +# Instead of storing in config.yaml: |
| 60 | +# api_key: sk-abc123... |
| 61 | +# Use: |
| 62 | +export OPENCLAW_API_KEY="sk-abc123..." |
| 63 | +``` |
| 64 | + |
| 65 | +**Step 3 — Fix file permissions** |
| 66 | + |
| 67 | +```bash |
| 68 | +python3 audit.py --fix-permissions |
| 69 | +``` |
| 70 | + |
| 71 | +This sets `chmod 600` on all config files (owner read/write only). |
| 72 | + |
| 73 | +**Step 4 — Verify gitignore coverage** |
| 74 | + |
| 75 | +Ensure `~/.openclaw/` or at minimum the config files are in your global `.gitignore`. |
| 76 | + |
| 77 | +## State |
| 78 | + |
| 79 | +Audit results and history stored in `~/.openclaw/skill-state/config-encryption-auditor/state.yaml`. |
| 80 | + |
| 81 | +Fields: `last_audit_at`, `findings`, `files_scanned`, `audit_history`. |
0 commit comments