Secure API key management and protection guidelines for OpenClaw skills
On February 10, 2026, we discovered a critical security issue:
- API keys were hardcoded in documentation
- Plaintext secrets were committed to version control
- Risk of public exposure on GitHub
This skill provides comprehensive security practices to prevent these issues.
- ❌ NEVER hardcode API keys in code
- ❌ NEVER include plaintext keys in documentation
- ❌ NEVER commit key files to version control
- ❌ NEVER log full keys in output
- ✅ Use environment variables for key management
- ✅ Use external config files (protected by .gitignore)
- ✅ Provide secure configuration instructions
- ✅ Implement key rotation mechanisms
from api_security import SecureConfig
config = SecureConfig()
api_key = config.get_api_key("alpha_vantage")
# Returns key from env var or secure filepython security_scanner.py . # Scan current directory
python security_scanner.py --output report.txt # Save report- Security best practices
- Configuration examples
- Emergency response procedures
- Pre-commit checks
- Skill creation checklist
- Git safety guidelines
# Clone this skill
git clone https://github.com/ZanderH-code/openclaw-api-security.git
# Or install via ClawHub (coming soon)
openclaw skill install api-securityfrom api_security import SecureConfig
# Initialize
config = SecureConfig()
# Get API key safely
key = config.get_api_key("openai", env_var="OPENAI_API_KEY")
# Create secure key file
config.create_key_file("alpha_vantage", "your_key_here")
# Check key safety
warnings = config.check_key_safety("test_key", "weak123")# Scan for exposed credentials
python security_scanner.py /path/to/skill
# Scan with JSON output
python security_scanner.py --format json --output findings.json
# Exit code indicates security issues
echo $? # 0 = safe, 1 = security issues found- No
API_KEY = "plaintext"in code - No plaintext keys in documentation
-
.gitignorefile configured - Environment variable instructions provided
- External file configuration instructions provided
- Secure key loading tested
# Check for sensitive information
grep -r "API_KEY\|PASSWORD\|SECRET" . --include="*.py" --include="*.md"
# Check .gitignore effectiveness
git status --ignored
# Run security scanner
python security_scanner.py .export ALPHA_VANTAGE_API_KEY=your_key_here
export OPENAI_API_KEY=your_key_here
export GITHUB_TOKEN=your_key_here# Create secure key file
mkdir -p ~/.openclaw/secure
echo "your_key_here" > ~/.openclaw/secure/alpha_vantage.key
chmod 600 ~/.openclaw/secure/alpha_vantage.key # Owner read/write only# .env file (add to .gitignore)
API_KEY=your_key_here
DATABASE_URL=your_database_url
# .gitignore must contain:
.env
*.key
*.secret
config/secret*.json- Hardcoded API keys in Python/JSON/YAML files
- Plaintext passwords in documentation
- Credentials in URLs (with auth)
- Test/demo keys with warnings
your_api_key_hereYOUR_API_KEYAPI_KEY_PLACEHOLDERreplace_with_your_keyyour_secret_here
- HIGH RISK: Production keys, real credentials
- LOW RISK: Test/demo keys, placeholders
- Immediate Key Rotation - Reset at service provider
- Review Commit History - Determine exposure scope
- Revoke Access - If possible
- Monitor for Abuse - Watch API usage patterns
- Update Documentation - Remove all plaintext keys
- Regular Key Rotation - Every 90 days
- Principle of Least Privilege - Grant only necessary permissions
- Use Key Aliases - For easier management and revocation
- Enable Audit Logs - Record all API calls
If you discover a security vulnerability:
- DO NOT create a public issue
- Email: security@example.com
- Include details and steps to reproduce
- Create an issue on GitHub
- Include detailed description
- Provide reproduction steps if applicable
This skill is released under the MIT License. See LICENSE file for details.
- GitHub Issues: open issues
- OpenClaw Discord: community support
Created: February 10, 2026
Last Updated: February 10, 2026
Maintainer: ZanderH-code
Status: Actively Maintained ✅