openclaw-vault-pro
Full credential lifecycle security: detect exposed credentials, auto-fix permissions, quarantine exposed files, rotation tracking, git history scanning, and automated protection. Everything in openclaw-vault (free) plus automated countermeasures.
Best use case
openclaw-vault-pro is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Full credential lifecycle security: detect exposed credentials, auto-fix permissions, quarantine exposed files, rotation tracking, git history scanning, and automated protection. Everything in openclaw-vault (free) plus automated countermeasures.
Teams using openclaw-vault-pro should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/openclaw-vault-pro/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How openclaw-vault-pro Compares
| Feature / Agent | openclaw-vault-pro | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Full credential lifecycle security: detect exposed credentials, auto-fix permissions, quarantine exposed files, rotation tracking, git history scanning, and automated protection. Everything in openclaw-vault (free) plus automated countermeasures.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# OpenClaw Vault Pro
Everything in [openclaw-vault](https://github.com/AtlasPA/openclaw-vault) (free) plus automated countermeasures.
**Free version detects threats. Pro version subverts, quarantines, and defends.**
## Detection Commands (also in free)
### Full Credential Audit
Comprehensive credential exposure audit: permission checks, shell history, git config, config file scanning, log file scanning, gitignore coverage, and staleness detection.
```bash
python3 {baseDir}/scripts/vault.py audit --workspace /path/to/workspace
```
### Exposure Check
Detect credential exposure vectors: misconfigured permissions, public directory exposure, git history risks, Docker credential embedding, shell alias leaks, and URL query parameter credentials in code.
```bash
python3 {baseDir}/scripts/vault.py exposure --workspace /path/to/workspace
```
### Credential Inventory
Build a structured inventory of all credential files in the workspace. Categorizes by type (API key, database URI, token, certificate, SSH key, password), tracks age, and flags stale or exposed credentials.
```bash
python3 {baseDir}/scripts/vault.py inventory --workspace /path/to/workspace
```
### Quick Status
One-line summary: credential count, exposure count, staleness warnings.
```bash
python3 {baseDir}/scripts/vault.py status --workspace /path/to/workspace
```
## Pro Countermeasures
### Fix Permissions
Auto-fix file permissions on all credential files. Sets .env files and other credential files to owner-readable only (chmod 600 on Unix, restricted ACLs via icacls on Windows).
```bash
python3 {baseDir}/scripts/vault.py fix-permissions --workspace /path/to/workspace
```
### Quarantine
Move an exposed credential file to `.quarantine/vault/` with metadata recording the original location and reason. The file is removed from its original location to prevent further exposure.
```bash
python3 {baseDir}/scripts/vault.py quarantine <file> --workspace /path/to/workspace
```
### Unquarantine
Restore a previously quarantined credential file to its original location. Matches by original path or quarantine file name.
```bash
python3 {baseDir}/scripts/vault.py unquarantine <file> --workspace /path/to/workspace
```
### Rotation Check
Check credential file ages and generate a rotation schedule. Files exceeding the max-age threshold are flagged as overdue. Files approaching the threshold are flagged as approaching. Default threshold is 90 days.
```bash
python3 {baseDir}/scripts/vault.py rotate-check --workspace /path/to/workspace
python3 {baseDir}/scripts/vault.py rotate-check --max-age 60 --workspace /path/to/workspace
```
### Git Guard
Scan git history for accidentally committed credentials. Uses `git log --diff-filter=A` to find credential files that were added (and possibly later removed). Checks whether credentials are still in HEAD or only in history. Provides remediation guidance.
```bash
python3 {baseDir}/scripts/vault.py gitguard --workspace /path/to/workspace
```
### Protect (Automated Sweep)
Full automated protection sweep in one command: audit all credentials, check exposure vectors, fix permissions, quarantine high-risk exposed files, check rotation schedule, and produce a comprehensive report. Recommended for session startup.
```bash
python3 {baseDir}/scripts/vault.py protect --workspace /path/to/workspace
python3 {baseDir}/scripts/vault.py protect --max-age 60 --workspace /path/to/workspace
```
## Recommended Integration
### Session Startup Hook (Claude Code)
```json
{
"hooks": {
"SessionStart": [
{
"hooks": [
{
"type": "command",
"command": "python3 scripts/vault.py protect",
"timeout": 30
}
]
}
]
}
}
```
### Heartbeat (OpenClaw)
Add to HEARTBEAT.md for periodic credential protection:
```
- Run credential protection sweep (python3 {skill:openclaw-vault-pro}/scripts/vault.py protect)
```
## Workspace Auto-Detection
If `--workspace` is omitted, the script tries:
1. `OPENCLAW_WORKSPACE` environment variable
2. Current directory (if AGENTS.md exists)
3. `~/.openclaw/workspace` (default)
## What It Checks
| Category | Details |
|----------|---------|
| **Permissions** | .env files with world-readable or group-readable permissions |
| **Shell History** | Credentials in .bash_history, .zsh_history, .python_history, etc. |
| **Git Config** | Credentials embedded in git remote URLs, plaintext credential helpers |
| **Config Files** | Hardcoded secrets in JSON, YAML, TOML, INI config files |
| **Log Files** | Credentials accidentally logged in .log files |
| **Gitignore** | Missing patterns for .env, *.pem, *.key, credentials.json, etc. |
| **Staleness** | Credential files older than threshold that may need rotation |
| **Public Dirs** | Credential files in public/, static/, www/, dist/, build/ |
| **Git History** | Credential files in git repos that may be committed |
| **Docker** | Secrets hardcoded in Dockerfile and docker-compose configs |
| **Shell RC** | Credentials in .bashrc, .zshrc, .profile aliases |
| **URL Params** | API keys/tokens passed in URL query strings in code |
## Exit Codes
- `0` -- Clean, no issues
- `1` -- Warnings detected (review needed)
- `2` -- Critical exposure detected (action needed)
## No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
## Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.Related Skills
OpenClaw-Finnhub
OpenClaw skill for real-time stock quote, and financials via Finnhub API.
openclaw-nextcloud
Manage Notes, Tasks, Calendar, Files, and Contacts in your Nextcloud instance via CalDAV, WebDAV, and Notes API. Use for creating notes, managing todos and calendar events, uploading/downloading files, and managing contacts.
openclaw-safety-coach
Safety coach for OpenClaw users. Refuses harmful, illegal, or unsafe requests and provides practical guidance to reduce ecosystem risk (malicious skills, tool abuse, secret exfiltration, prompt injection).
openclaw
openclaw
openclaw-spacesuit
**A framework scaffold for OpenClaw workspaces.**
nutrient-openclaw
Document processing for OpenClaw — convert, extract, OCR, redact, sign, and watermark PDFs and Office documents using the Nutrient DWS API. Use when asked to convert documents (DOCX/XLSX/PPTX to PDF, PDF to images or Office formats), extract text or tables from PDFs, apply OCR to scanned documents, redact sensitive information or PII, add watermarks, or digitally sign documents. Triggers on "convert to PDF", "extract text", "OCR this", "redact PII", "watermark", "sign document", or any document processing request.
openclaw-setup
Set up a complete OpenClaw personal AI assistant from scratch using Claude Code. Walks through AWS provisioning, OpenClaw installation, Telegram bot creation, API configuration, Google Workspace integration, security hardening, and all power features. Give this to Claude Code and it handles the rest.
OpenClaw Optimizer Skill
## Overview
openclaw-backup
Enhanced backup and restore for openclaw configuration, skills, commands, and settings. Sync across devices, version control with git, automate backups, and migrate to new machines with advanced compression.
clawvault
Structured memory system for OpenClaw agents. Context death resilience (checkpoint/recover), structured storage, Obsidian-compatible markdown, and local semantic search.
openclaw-trakt
Track and recommend TV shows and movies using Trakt.tv. Use when the user asks for show/movie recommendations, wants to track what they're watching, check their watchlist, or get personalized suggestions based on their viewing history. Requires Trakt.tv account with Pro subscription for full functionality.
OpenClaw Claude Code Skill
## Description