Credential Hygiene Validator

Checks whether credentials and tokens in config files are stored

with reasonable hygiene. Catches common mistakes before they become

incidents.

What it checks

1. File permissions -- config files should be 600 or 700, not world-readable
2. Plaintext tokens -- scans for hex tokens, JWTs (base64url with dots), Bearer strings, and API keys
3. Git repo contamination -- whether the config directory sits inside a git working tree
4. Gitignore coverage -- whether .gitignore excludes credential paths
5. Log file leaks -- tokens appearing in log output (checks all formats: hex, JWT, Bearer per RFC 6750)
6. Token age -- warns if tokens have not been rotated recently
7. Atomic write safety -- checks if config backup exists (indicator of safe write patterns)

When to use it

• After setting up a new tool or service
• Before pushing dotfiles to a public repo
• As part of a regular security hygiene review
• When onboarding a new machine
• After rotating credentials, to confirm the old token is gone

Example prompts

• "Check if my OpenClaw tokens are stored safely"
• "Audit my dotfiles for leaked credentials"
• "Is my config directory in a git repo?"
• "Check file permissions on my credentials"
• "Are my tokens showing up in any log files?"

Checks run

# 1. File permissions
stat -c '%a %n' ~/.openclaw/openclaw.json
# Expected: 600

# 2. Plaintext tokens (full token68 charset per RFC 7235)
grep -rnP '("token"\s*:\s*")[^"]{8,}"|[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/ --include="*.json" 2>/dev/null

# 3. Git repo check
git -C ~/.openclaw rev-parse --is-inside-work-tree 2>/dev/null
# Expected: error (not in a repo)

# 4. Gitignore coverage
grep -q '.openclaw' ~/.gitignore 2>/dev/null && echo "covered" || echo "not covered"

# 5. Log file leaks (full token68 charset)
grep -rnP '[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/logs/ --include="*.log" 2>/dev/null

# 6. Token age (check config file modification time)
find ~/.openclaw/openclaw.json -mtime +90 -print 2>/dev/null
# If output: token has not been rotated in 90+ days

# 7. Backup file exists (atomic write indicator)
ls ~/.openclaw/openclaw.json.bak 2>/dev/null && echo "backup present" || echo "no backup"

Notes

• Read-only checks, does not modify any files
• Token patterns match hex, JWT (header.payload.signature), base64url,

and Bearer headers case-insensitively per RFC 6750

• Works with any tool that stores credentials in dotfiles
• Aligns with T-ACCESS-003 in the OpenClaw threat model

References

• OpenClaw threat model (T-ACCESS-003)
• OpenClaw security policy
• RFC 6750 - Bearer Token Usage