Add 4 OpenLobster-inspired skills (44 total)

README.md

@@ -64,7 +64,7 @@ Methodology skills that work in any runtime. Adapted from [obra/superpowers](htt
 | `skill-conflict-detector` | Detects name shadowing and description-overlap conflicts between installed skills | `detect.py` |
 | `skill-portability-checker` | Validates OS/binary dependencies in companion scripts; catches non-portable calls | `check.py` |
 
-### OpenClaw-Native (24 skills)
+### OpenClaw-Native (28 skills)
 
 Skills that require OpenClaw's persistent runtime — cron scheduling, session state, or long-running execution. Not useful in session-based tools.
 
@@ -94,6 +94,10 @@ Skills that require OpenClaw's persistent runtime — cron scheduling, session s
 | `skill-compatibility-checker` | Checks installed skills against the current OpenClaw version for feature compatibility | — | ✓ | `check.py` |
 | `heartbeat-governor` | Enforces per-skill execution budgets for cron skills; auto-pauses runaway skills | every hour | ✓ | `governor.py` |
 | `community-skill-radar` | Scans Reddit for OpenClaw pain points and feature requests; writes prioritized PROPOSALS.md | every 3 days | ✓ | `radar.py` |
+| `memory-graph-builder` | Parses MEMORY.md into a knowledge graph; detects duplicates, contradictions, and stale entries; generates compressed digest | daily 10pm | ✓ | `graph.py` |
+| `config-encryption-auditor` | Scans config directories for plaintext API keys, tokens, and world-readable permissions | Sundays 9am | ✓ | `audit.py` |
+| `tool-description-optimizer` | Scores skill descriptions for trigger quality — clarity, specificity, keyword density — and suggests rewrites | — | ✓ | `optimize.py` |
+| `mcp-health-checker` | Monitors MCP server connections for health, latency, and availability; detects stale connections | every 6h | ✓ | `check.py` |
 
 ### Community (1 skill)
 
@@ -113,7 +117,7 @@ Stateful skills commit a `STATE_SCHEMA.yaml` defining the shape of their runtime
 
 Skills marked with a script in the table above ship a small executable alongside their `SKILL.md`:
 
-- **Python scripts** (`run.py`, `audit.py`, `check.py`, `guard.py`, `bridge.py`, `onboard.py`, `sync.py`, `doctor.py`, `loadout.py`, `governor.py`, `detect.py`, `test.py`, `radar.py`) — run directly to manipulate state, generate reports, or trigger actions. No extra dependencies required; `pyyaml` is optional but recommended.
+- **Python scripts** (`run.py`, `audit.py`, `check.py`, `guard.py`, `bridge.py`, `onboard.py`, `sync.py`, `doctor.py`, `loadout.py`, `governor.py`, `detect.py`, `test.py`, `radar.py`, `graph.py`, `optimize.py`) — run directly to manipulate state, generate reports, or trigger actions. No extra dependencies required; `pyyaml` is optional but recommended.
 - **`vet.sh`** — Pure bash scanner; runs on any system with grep.
 - Each script supports `--help` and prints a human-readable summary. JSON output available where useful (`--format json`). Dry-run mode available on scripts that make changes.
 - See the `example-state.yaml` in each skill directory for sample state and a commented walkthrough of the skill's cron behaviour.
@@ -122,7 +126,7 @@ Skills marked with a script in the table above ship a small executable alongside
 
 ## Security skills at a glance
 
-Five skills address the documented top security risks for OpenClaw agents:
+Six skills address the documented top security risks for OpenClaw agents:
 
 | Threat | Skill | How |
 |---|---|---|
@@ -131,6 +135,7 @@ Five skills address the documented top security risks for OpenClaw agents:
 | Agent takes destructive action without confirmation | `dangerous-action-guard` | Pre-execution gate with 5-min expiry window and full audit trail |
 | Post-install skill tampering or credential injection | `installed-skill-auditor` | Weekly content-hash drift detection; INJECTION / CREDENTIAL / EXFILTRATION checks |
 | Silent skill loading failures hiding broken skills | `skill-doctor` | 6 diagnostic checks per skill; surfaces every load-time failure before it disappears |
+| Plaintext API keys and tokens in config files | `config-encryption-auditor` | Scans for 8 API key patterns + 3 token patterns; auto-fixes permissions; suggests env var migration |
 
 ---
 

skills/openclaw-native/config-encryption-auditor/SKILL.md

@@ -0,0 +1,81 @@
+---
+name: config-encryption-auditor
+version: "1.0"
+category: openclaw-native
+description: Scans OpenClaw config directories for plaintext API keys, tokens, and secrets in unencrypted files — flags exposure risks and suggests encryption or environment variable migration.
+stateful: true
+cron: "0 9 * * 0"
+---
+
+# Config Encryption Auditor
+
+## What it does
+
+OpenClaw stores configuration in `~/.openclaw/` — API keys, channel tokens, provider credentials. By default, these are plaintext YAML or JSON files readable by any process on your machine.
+
+OpenLobster solved this with AES-GCM encrypted config files. We can't change OpenClaw's config format, but we can audit it — scanning for exposed secrets, flagging unencrypted credential files, and suggesting migrations to environment variables or encrypted vaults.
+
+## When to invoke
+
+- Automatically, every Sunday at 9am (cron)
+- After initial OpenClaw setup
+- Before deploying to shared infrastructure
+- After any config change that adds new API keys
+
+## Checks performed
+
+| Check | Severity | What it detects |
+|---|---|---|
+| PLAINTEXT_API_KEY | CRITICAL | API key patterns in config files (sk-, AKIA, ghp_, etc.) |
+| PLAINTEXT_TOKEN | HIGH | OAuth tokens, bearer tokens, passwords in config |
+| WORLD_READABLE | HIGH | Config files with 644/755 permissions (readable by all users) |
+| NO_GITIGNORE | MEDIUM | Config directory not gitignored (risk of committing secrets) |
+| ENV_AVAILABLE | INFO | Secret could be migrated to environment variable |
+
+## How to use
+
+```bash
+python3 audit.py --scan                    # Full audit
+python3 audit.py --scan --critical-only    # CRITICAL findings only
+python3 audit.py --fix-permissions         # chmod 600 on config files
+python3 audit.py --suggest-env             # Print env var migration guide
+python3 audit.py --status                  # Last audit summary
+python3 audit.py --format json
+```
+
+## Procedure
+
+**Step 1 — Run the audit**
+
+```bash
+python3 audit.py --scan
+```
+
+**Step 2 — Fix CRITICAL issues first**
+
+For each PLAINTEXT_API_KEY finding, migrate the key to an environment variable:
+
+```bash
+# Instead of storing in config.yaml:
+#   api_key: sk-abc123...
+# Use:
+export OPENCLAW_API_KEY="sk-abc123..."
+```
+
+**Step 3 — Fix file permissions**
+
+```bash
+python3 audit.py --fix-permissions
+```
+
+This sets `chmod 600` on all config files (owner read/write only).
+
+**Step 4 — Verify gitignore coverage**
+
+Ensure `~/.openclaw/` or at minimum the config files are in your global `.gitignore`.
+
+## State
+
+Audit results and history stored in `~/.openclaw/skill-state/config-encryption-auditor/state.yaml`.
+
+Fields: `last_audit_at`, `findings`, `files_scanned`, `audit_history`.

skills/openclaw-native/config-encryption-auditor/STATE_SCHEMA.yaml

@@ -0,0 +1,27 @@
+version: "1.0"
+description: Config file audit results — plaintext secrets, permission issues, and migration suggestions.
+fields:
+  last_audit_at:
+    type: datetime
+  files_scanned:
+    type: integer
+    default: 0
+  findings:
+    type: list
+    items:
+      file_path:   { type: string }
+      check:       { type: enum, values: [PLAINTEXT_API_KEY, PLAINTEXT_TOKEN, WORLD_READABLE, NO_GITIGNORE, ENV_AVAILABLE] }
+      severity:    { type: enum, values: [CRITICAL, HIGH, MEDIUM, INFO] }
+      detail:      { type: string }
+      suggestion:  { type: string }
+      detected_at: { type: datetime }
+      resolved:    { type: boolean }
+  audit_history:
+    type: list
+    description: Rolling audit summaries (last 12)
+    items:
+      audited_at:     { type: datetime }
+      files_scanned:  { type: integer }
+      critical_count: { type: integer }
+      high_count:     { type: integer }
+      medium_count:   { type: integer }