# Send Credential Manager to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "credential-manager",
    "name": "Credential Manager",
    "source": "tencent",
    "type": "skill",
    "category": "开发工具",
    "sourceUrl": "https://clawhub.ai/Callmedas69/credential-manager",
    "canonicalUrl": "https://clawhub.ai/Callmedas69/credential-manager",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/credential-manager",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-manager",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "CHANGELOG.md",
      "CONSOLIDATION-RULE.md",
      "CORE-PRINCIPLE.md",
      "README.md",
      "SKILL.md",
      "references/security.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "credential-manager",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-02T04:38:02.339Z",
      "expiresAt": "2026-05-09T04:38:02.339Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-manager",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=credential-manager",
        "contentDisposition": "attachment; filename=\"credential-manager-1.3.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "credential-manager"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/credential-manager"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/credential-manager",
    "downloadUrl": "https://openagent3.xyz/downloads/credential-manager",
    "agentUrl": "https://openagent3.xyz/skills/credential-manager/agent",
    "manifestUrl": "https://openagent3.xyz/skills/credential-manager/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/credential-manager/agent.md"
  }
}
```
## Documentation

### Credential Manager

STATUS: MANDATORY SECURITY FOUNDATION

Consolidate scattered API keys and credentials into a secure, centralized .env file.

### ⚠️ This Is Not Optional

Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.

THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.

See:

CORE-PRINCIPLE.md - Why this is non-negotiable
CONSOLIDATION-RULE.md - The single source principle

### The Foundation

Every OpenClaw deployment MUST have:

~/.openclaw/.env (mode 600)

This is your single source of truth for all credentials. No exceptions.

Why?

Single location = easier to secure
File mode 600 = only you can read
Git-ignored = won't accidentally commit
Validated format = catches errors
Audit trail = know what changed

Scattered credentials = scattered attack surface. This skill fixes that.

### What This Skill Does

Scans for credentials in common locations
Backs up existing credential files (timestamped)
Consolidates into ~/.openclaw/.env
Secures with proper permissions (600)
Validates security and format
Enforces best practices
Cleans up old files after migration

### Detection Parameters

The skill automatically detects credentials by scanning for:

File Patterns:

credentials.json files in config directories
.env files
Memory files with -creds or credentials in the name

Sensitive Key Patterns:

API keys, access tokens, bearer tokens
Secrets, passwords, passphrases
OAuth consumer keys
Private keys, signing keys, wallet keys
Mnemonics and seed phrases

Security Checks:

File permissions (must be 600)
Git-ignore protection
Format validation

### Full Migration (Recommended)

# Scan for credentials
./scripts/scan.py

# Review and consolidate
./scripts/consolidate.py

# Validate security
./scripts/validate.py

### Individual Operations

# Scan only
./scripts/scan.py

# Consolidate specific service
./scripts/consolidate.py --service x

# Backup without removing
./scripts/consolidate.py --backup-only

# Clean up old files
./scripts/cleanup.py --confirm

### Common Credential Locations

The skill scans these locations:

~/.config/*/credentials.json
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/*credentials*.json
~/.env (if exists, merges)

### Security Features

✅ File permissions: Sets .env to mode 600 (owner only)
✅ Git protection: Creates/updates .gitignore
✅ Backups: Timestamped backups before changes
✅ Validation: Checks format, permissions, and duplicates
✅ Template: Creates .env.example (safe to share)

### Output Structure

After migration:

~/.openclaw/
├── .env                     # All credentials (secure)
├── .env.example             # Template (safe)
├── .gitignore               # Protects .env
├── CREDENTIALS.md           # Documentation
└── backups/
    └── credentials-old-YYYYMMDD/  # Backup of old files

### Supported Services

Common services auto-detected:

X (Twitter): OAuth 1.0a credentials
Molten: Agent intent matching
Moltbook: Agent social network
Botchan/4claw: Net Protocol
OpenAI, Anthropic, Google: AI providers
GitHub, GitLab: Code hosting
Generic: API_KEY, *_TOKEN, *_SECRET patterns

See references/supported-services.md for full list.

### Security Best Practices

See references/security.md for detailed security guidelines.

Quick checklist:

✅ .env has 600 permissions
✅ .env is git-ignored
✅ No credentials in code or logs
✅ Rotate keys periodically
✅ Use separate keys per environment

### Scripts

All scripts support --help for detailed usage.

### scan.py

# Scan and report
./scripts/scan.py

# Include custom paths
./scripts/scan.py --paths ~/.myapp/config ~/.local/share/creds

# JSON output
./scripts/scan.py --format json

### consolidate.py

# Interactive mode (prompts before changes)
./scripts/consolidate.py

# Auto-confirm (no prompts)
./scripts/consolidate.py --yes

# Backup only
./scripts/consolidate.py --backup-only

# Specific service
./scripts/consolidate.py --service molten

### validate.py

# Full validation
./scripts/validate.py

# Check permissions only
./scripts/validate.py --check permissions

# Fix issues automatically
./scripts/validate.py --fix

### cleanup.py

# Dry run (shows what would be deleted)
./scripts/cleanup.py

# Actually delete old files
./scripts/cleanup.py --confirm

# Keep backups
./scripts/cleanup.py --confirm --keep-backups

### Migration Workflow

Step 1: Discovery

./scripts/scan.py

Review output to see what will be migrated.

Step 2: Backup & Consolidate

./scripts/consolidate.py

Creates backups, builds .env, sets permissions.

Step 3: Validation

./scripts/validate.py

Ensures everything is secure and correct.

Step 4: Test
Test your applications/skills with the new .env file.

Step 5: Cleanup

./scripts/cleanup.py --confirm

Removes old credential files (backups remain).

### For Skill Developers: Enforce This Standard

Other OpenClaw skills MUST validate credentials are secure before using them:

### Python Skills

#!/usr/bin/env python3
import sys
from pathlib import Path

# Add credential-manager scripts to path
sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts'))

# Enforce secure .env (exits if not compliant)
from enforce import require_secure_env, get_credential

require_secure_env()

# Now safe to load credentials
api_key = get_credential('SERVICE_API_KEY')

### Bash Skills

#!/usr/bin/env bash
set -euo pipefail

# Validate .env exists and is secure
if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then
    exit 1
fi

# Now safe to load
source ~/.openclaw/.env

This creates a fail-fast system: If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.

### Loading Credentials

After migration, load from .env:

### Python

import os
from pathlib import Path

# Load .env
env_file = Path.home() / '.openclaw' / '.env'
with open(env_file) as f:
    for line in f:
        if '=' in line and not line.strip().startswith('#'):
            key, val = line.strip().split('=', 1)
            os.environ[key] = val

# Use credentials
api_key = os.getenv('SERVICE_API_KEY')

### Bash

# Load .env
set -a
source ~/.openclaw/.env
set +a

# Use credentials
echo "$SERVICE_API_KEY"

### Using Existing Loaders

If you migrated using OpenClaw scripts:

from load_credentials import get_credentials
creds = get_credentials('x')

### Adding New Credentials

Edit ~/.openclaw/.env:

# Add new service
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here

Update template too:

# Edit .env.example
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here

### Rollback

If something goes wrong:

# Find your backup
ls -la ~/.openclaw/backups/

# Restore specific file
cp ~/.openclaw/backups/credentials-old-YYYYMMDD/x-credentials.json.bak \\
   ~/.config/x/credentials.json

### Notes

Non-destructive by default: Original files backed up before removal
Idempotent: Safe to run multiple times
Extensible: Add custom credential patterns in scripts
Secure: Never logs full credentials, only metadata
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: Callmedas69
- Version: 1.3.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-02T04:38:02.339Z
- Expires at: 2026-05-09T04:38:02.339Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/credential-manager)
- [Send to Agent page](https://openagent3.xyz/skills/credential-manager/agent)
- [JSON manifest](https://openagent3.xyz/skills/credential-manager/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/credential-manager/agent.md)
- [Download page](https://openagent3.xyz/downloads/credential-manager)