canary
Canary scans OpenClaw environments for leaked secrets like API keys and tokens, offering fixes with user permission.
Install this skill
Security score
The canary skill was audited on Feb 9, 2026 and we found 105 security issues across 5 threat categories, including 7 critical. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 63 | | **Tokens & Sessions** | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, `.env` files | |
Webhook reference - potential data exfiltration
| 214 | | Slack Webhook | `https://hooks.slack.com/` | URL | |
Webhook reference - potential data exfiltration
| 215 | | Discord Webhook | `https://discord.com/api/webhooks/` | URL | |
Webhook reference - potential data exfiltration
| 236 | | Generic Webhook | `https://webhook.site/` | URL | |
Webhook reference - potential data exfiltration
| 325 | # Slack Webhook |
Webhook reference - potential data exfiltration
| 328 | # Discord Webhook |
Webhook reference - potential data exfiltration
| 329 | https://discord(app)?\.com/api/webhooks/[0-9]+/[a-zA-Z0-9_\-]+ |
Webhook reference - potential data exfiltration
| 358 | # Generic Webhook URLs |
Webhook reference - potential data exfiltration
| 359 | https://(webhook\.site|pipedream\.net)/[a-zA-Z0-9\-]+ |
Access to hidden dotfiles in home directory
| 33 | - `~/.openclaw/.env` and `~/.clawdbot/.env` for plaintext credentials |
Access to hidden dotfiles in home directory
| 47 | - SSH keys and config (`~/.ssh/`) for weak permissions |
Access to hidden dotfiles in home directory
| 61 | | **Private Keys** | SSH private keys, PEM files, JWTs with embedded secrets | `~/.ssh/`, workspace, skill directories | |
Access to hidden dotfiles in home directory
| 62 | | **Cloud Credentials** | AWS access keys, GCP service account JSON, Azure tokens | `~/.aws/`, `~/.config/gcloud/`, env vars, configs | |
Access to hidden dotfiles in home directory
| 64 | | **Local System Files** | Credential exports, service account JSONs, PEM/key files, password manager CSV exports, Kubernetes tokens, Terraform state secrets, database passwords | `~/Downloads/`, `~/D |
Access to hidden dotfiles in home directory
| 117 | - `~/.openclaw/.env`, `~/.clawdbot/.env`, and any `.env` in the current workspace |
Access to hidden dotfiles in home directory
| 164 | - A second copy embedded in OpenClaw's own config at `~/.openclaw/.canary_integrity` (outside the workspace, harder for workspace-scoped attackers to reach) |
Access to hidden dotfiles in home directory
| 184 | - **Symlink detection**: Check if any files in scanned directories are symlinks pointing to credential files elsewhere on the system. A symlink to `~/.aws/credentials` in a shared workspace is an expo |
Access to hidden dotfiles in home directory
| 375 | - `~/.openclaw/.env` |
Access to hidden dotfiles in home directory
| 376 | - `~/.clawdbot/.env` |
Access to hidden dotfiles in home directory
| 385 | - `~/.openclaw/` and `~/.clawdbot/` — full agent config directories |
Access to hidden dotfiles in home directory
| 389 | - `~/.ssh/` — keys, config, `known_hosts`, `authorized_keys` |
Access to hidden dotfiles in home directory
| 390 | - `~/.gnupg/` — GPG private keys and config |
Access to hidden dotfiles in home directory
| 393 | - `~/.aws/credentials`, `~/.aws/config` |
Access to hidden dotfiles in home directory
| 394 | - `~/.config/gcloud/application_default_credentials.json` |
Access to hidden dotfiles in home directory
| 395 | - `~/.azure/` — Azure CLI profiles and tokens |
Access to hidden dotfiles in home directory
| 396 | - `~/.oci/config` — Oracle Cloud config |
Access to hidden dotfiles in home directory
| 397 | - `~/.config/doctl/config.yaml` — DigitalOcean CLI config |
Access to hidden dotfiles in home directory
| 398 | - `~/.config/hcloud/cli.toml` — Hetzner Cloud CLI config |
Access to hidden dotfiles in home directory
| 401 | - `~/.netrc` — often contains login credentials for multiple services |
Access to hidden dotfiles in home directory
| 402 | - `~/.npmrc` — NPM auth tokens |
Access to hidden dotfiles in home directory
| 403 | - `~/.pypirc` — PyPI upload credentials |
Access to hidden dotfiles in home directory
| 404 | - `~/.gem/credentials` — RubyGems API key |
Access to hidden dotfiles in home directory
| 405 | - `~/.cargo/credentials.toml` — Rust crate registry token |
Access to hidden dotfiles in home directory
| 406 | - `~/.nuget/NuGet.Config` — NuGet API keys |
Access to hidden dotfiles in home directory
| 407 | - `~/.composer/auth.json` — PHP Composer tokens |
Access to hidden dotfiles in home directory
| 410 | - `~/.docker/config.json` — Docker Hub and registry credentials |
Access to hidden dotfiles in home directory
| 411 | - `~/.kube/config` — Kubernetes cluster tokens and certificates |
Access to hidden dotfiles in home directory
| 412 | - `~/.helm/` — Helm repository credentials |
Access to hidden dotfiles in home directory
| 414 | - `~/.terraform.d/credentials.tfrc.json` — Terraform Cloud tokens |
Access to hidden dotfiles in home directory
| 415 | - `~/.pulumi/credentials.json` — Pulumi access tokens |
Access to hidden dotfiles in home directory
| 416 | - `~/.vagrant.d/` — Vagrant cloud tokens |
Access to hidden dotfiles in home directory
| 419 | - `~/.my.cnf` — MySQL client password |
Access to hidden dotfiles in home directory
| 420 | - `~/.pgpass` — PostgreSQL passwords |
Access to hidden dotfiles in home directory
| 421 | - `~/.dbshell` — MongoDB shell history |
Access to hidden dotfiles in home directory
| 422 | - `~/.rediscli_history` — Redis CLI history with possible AUTH commands |
Access to hidden dotfiles in home directory
| 423 | - `~/.config/redis/` — Redis configs with embedded passwords |
Access to hidden dotfiles in home directory
| 424 | - `~/.mongoshrc.js` — MongoDB shell config |
Access to hidden dotfiles in home directory
| 427 | - `~/.bash_history`, `~/.zsh_history`, `~/.fish_history` |
Access to hidden dotfiles in home directory
| 428 | - `~/.python_history`, `~/.node_repl_history` |
Access to hidden dotfiles in home directory
| 429 | - `~/.psql_history`, `~/.mysql_history` |
Access to hidden dotfiles in home directory
| 433 | - `~/.gitconfig` — may contain tokens in URL credentials |
Access to hidden dotfiles in home directory
| 434 | - `~/.git-credentials` — plaintext git credentials |
Access to hidden dotfiles in home directory
| 439 | - `~/Library/Application Support/` (macOS) and `~/.config/` (Linux) — application configs that may store tokens |
Access to hidden dotfiles in home directory
| 443 | - `~/.circleci/cli.yml` — CircleCI token |
Access to hidden dotfiles in home directory
| 444 | - `~/.config/gh/hosts.yml` — GitHub CLI auth |
Access to hidden dotfiles in home directory
| 445 | - `~/.config/netlify/config.json` — Netlify token |
Access to hidden dotfiles in home directory
| 446 | - `~/.vercel/` — Vercel deployment tokens |
Access to hidden dotfiles in home directory
| 447 | - `~/.heroku/` — Heroku credentials |
Access to hidden dotfiles in home directory
| 448 | - `~/.config/flyctl/` — Fly.io tokens |
Access to hidden dotfiles in home directory
| 449 | - `~/.railway/` — Railway deployment tokens |
Access to hidden dotfiles in home directory
| 474 | - ~/.config/some-noisy-app/ |
Access to hidden dotfiles in home directory
| 493 | - **Restrict exclude_paths scope.** Exclude paths must be specific files or directories. Canary must never allow excluding entire critical categories (e.g., all `.env` files, all of `~/.ssh/`, or the |
Access to hidden dotfiles in home directory
| 529 | > The file `~/.openclaw/.env` has your OpenAI key (`sk-...(52 chars)`) and right now, any user logged into this computer could see it. That means someone could use your key and run up charges on your |
Access to SSH directory
| 47 | - SSH keys and config (`~/.ssh/`) for weak permissions |
Access to SSH directory
| 61 | | **Private Keys** | SSH private keys, PEM files, JWTs with embedded secrets | `~/.ssh/`, workspace, skill directories | |
Access to SSH directory
| 389 | - `~/.ssh/` — keys, config, `known_hosts`, `authorized_keys` |
Access to SSH directory
| 493 | - **Restrict exclude_paths scope.** Exclude paths must be specific files or directories. Canary must never allow excluding entire critical categories (e.g., all `.env` files, all of `~/.ssh/`, or the |
Access to AWS credentials directory
| 62 | | **Cloud Credentials** | AWS access keys, GCP service account JSON, Azure tokens | `~/.aws/`, `~/.config/gcloud/`, env vars, configs | |
Access to AWS credentials directory
| 184 | - **Symlink detection**: Check if any files in scanned directories are symlinks pointing to credential files elsewhere on the system. A symlink to `~/.aws/credentials` in a shared workspace is an expo |
Access to AWS credentials directory
| 393 | - `~/.aws/credentials`, `~/.aws/config` |
Access to .env file
| 5 | .env files, installed skills, and shell history. Runs silently on startup, deep scans |
Access to .env file
| 33 | - `~/.openclaw/.env` and `~/.clawdbot/.env` for plaintext credentials |
Access to .env file
| 35 | - Any `.env` files in the active workspace |
Access to .env file
| 59 | | **API Keys** | Shodan, VirusTotal, OpenAI, Anthropic, AWS, GCP, Stripe, GitHub tokens | `.env` files, skill configs, shell history, git repos | |
Access to .env file
| 60 | | **Passwords** | Plaintext passwords in configs, database connection strings with embedded passwords | Config files, `.env`, `.netrc`, skill directories | |
Access to .env file
| 63 | | **Tokens & Sessions** | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, `.env` files | |
Access to .env file
| 72 | - 🟢 **Good** — Checked and clean. Example: *"Your .env files are locked down properly."* |
Access to .env file
| 82 | | Your .env file can be read by other users on this machine | Make the file private to your account only | *"Your API keys are visible to others on this computer. Mind if I make this file private?"* | |
Access to .env file
| 85 | | API key hardcoded inside a skill | Move the key to your .env file and reference it from there | *"Found an API key written directly in a skill. Want me to move it somewhere safer?"* | |
Access to .env file
| 95 | **Before every fix**, Canary creates a backup of the affected file at `<workspace>/.canary/backups/` with a timestamp (e.g., `.env.2026-02-07T14:30:00.bak`). If anything goes wrong, you can ask Canary |
Access to .env file
| 98 | - *"Restore my .env file"* |
Access to .env file
| 117 | - `~/.openclaw/.env`, `~/.clawdbot/.env`, and any `.env` in the current workspace |
Access to .env file
| 124 | 4. **Suppress repeated alerts.** If the same issue was flagged on the previous startup and the user has not addressed it, do not alert again. Instead, track it silently. If the same issue persists for |
Access to .env file
| 149 | - **Group related issues together.** If three `.env` files all have the same permission problem, present it as one finding with three files — not three separate findings. |
Access to .env file
| 181 | - **Git history**: If a `.git` directory exists, check `git log --diff-filter=A` for files that commonly contain secrets (`.env`, credentials, key files). Also check `git diff --cached` for secrets st |
Access to .env file
| 375 | - `~/.openclaw/.env` |
Access to .env file
| 376 | - `~/.clawdbot/.env` |
Access to .env file
| 377 | - `<workspace>/.env` |
Access to .env file
| 378 | - `<workspace>/.env.*` (e.g., `.env.local`, `.env.production`) |
Access to .env file
| 466 | - ~/projects/my-app/.env |
Access to .env file
| 473 | - ~/projects/test-app/.env.example |
Access to .env file
| 493 | - **Restrict exclude_paths scope.** Exclude paths must be specific files or directories. Canary must never allow excluding entire critical categories (e.g., all `.env` files, all of `~/.ssh/`, or the |
Access to .env file
| 529 | > The file `~/.openclaw/.env` has your OpenAI key (`sk-...(52 chars)`) and right now, any user logged into this computer could see it. That means someone could use your key and run up charges on your |
Access to .env file
| 603 | > The same key (`sk-ant-...(40 chars)`) is in your `.env` file, hardcoded in the `code-review` skill, and in your bash history. If this key were compromised, all three locations would need to be clean |
Access to .env file
| 604 | > → *Want me to lock down the .env file, move the hardcoded key, and clean your history — all three at once?* |
Access to .env file
| 650 | > I've locked down your `.env` file and cleaned up your shell history. ✓ |
Access to .env file
| 657 | > 4. Replace the old token in your `.env` file with the new one |
Access to system keychain/keyring
| 673 | - **macOS**: Full support. File permissions, Keychain export detection, `~/Library/Application Support/` scanning all work. |
Base64 decode operation
| 185 | - **Encoding detection**: Check for base64-encoded secrets in config files. Decode and run pattern matching against the decoded content — base64 encoding is often used to obscure secrets but does no |
External URL reference
| 214 | | Slack Webhook | `https://hooks.slack.com/` | URL | |
External URL reference
| 215 | | Discord Webhook | `https://discord.com/api/webhooks/` | URL | |
External URL reference
| 236 | | Generic Webhook | `https://webhook.site/` | URL | |
External URL reference
| 326 | https://hooks\.slack\.com/services/[A-Z0-9/]+ |
External URL reference
| 329 | https://discord(app)?\.com/api/webhooks/[0-9]+/[a-zA-Z0-9_\-]+ |
External URL reference
| 359 | https://(webhook\.site|pipedream\.net)/[a-zA-Z0-9\-]+ |