// Scans your OpenClaw environment for leaked secrets — API keys, tokens, credentials in .env files, installed skills, and shell history. Runs silently on startup, deep scans on demand. Fixes issues with your permission.
🎀 AgenticMail — Full email, SMS, storage & multi-agent coordination for AI agents. 63 tools.
Booking links fail for groups. SkipUp schedules meetings with 2-50 participants via email — one API call coordinates across timezones automatically. Also: check status, pause, resume, or cancel requests. Async only — does not instant-book, access calendars, or do free/busy lookups.
Convert meeting notes or transcripts into clear summaries, decisions, and action items with owners and due dates. Use when a user asks to turn a meeting recording, transcript, or notes into a follow-up plan.
Free multi-engine web search via ddgs CLI (DuckDuckGo, Google, Bing, Brave, Yandex, Yahoo, Wikipedia) + arXiv API search. No API keys required. Use when user needs web search, research paper discovery, or when other skills need a search backend. Drop-in replacement for web-search-plus.
OpenClaw skill for source-backed web search, page reading, and evidence-aware claim checking. Use it to verify factual answers with live search results and explicit source handling.
Text-to-speech, speech-to-text, voice conversion, and audio processing using EachLabs AI models. Supports ElevenLabs TTS, Whisper transcription with diarization, and RVC voice conversion. Use when the user needs TTS, transcription, or voice conversion.
| name | canary |
| description | Scans your OpenClaw environment for leaked secrets — API keys, tokens, credentials in .env files, installed skills, and shell history. Runs silently on startup, deep scans on demand. Fixes issues with your permission. |
| tags | ["security","secrets","credentials","hardening","audit","privacy"] |
| version | 1.0.0 |
Your agent's early warning system for exposed secrets.
Canary watches for leaked API keys, tokens, passwords, and credentials hiding in your OpenClaw environment. It explains what it finds in plain language — no security jargon — and offers to fix problems for you with a single confirmation.
Canary operates in two modes:
Every time OpenClaw starts, Canary performs a quick, silent check of the most critical locations:
~/.openclaw/.env and ~/.clawdbot/.env for plaintext credentials.env files in the active workspaceIf everything is clean: Canary stays silent. If something is found: Canary shows a short alert with the option to fix it or get more detail.
Ask for a full security check whenever you want. The deep scan covers everything in the light scan plus:
~/.ssh/) for weak permissions.netrc, .npmrc, .pypirc, Docker config, AWS credentials, etc.)Canary uses pattern matching and heuristic checks to detect:
| Secret Type | Examples | Where It Looks |
|---|---|---|
| API Keys | Shodan, VirusTotal, OpenAI, Anthropic, AWS, GCP, Stripe, GitHub tokens | .env files, skill configs, shell history, git repos |
| Passwords | Plaintext passwords in configs, database connection strings with embedded passwords | Config files, .env, .netrc, skill directories |
| Private Keys | SSH private keys, PEM files, JWTs with embedded secrets | ~/.ssh/, workspace, skill directories |
| Cloud Credentials | AWS access keys, GCP service account JSON, Azure tokens | ~/.aws/, ~/.config/gcloud/, env vars, configs |
| Tokens & Sessions | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, .env files |
| Local System Files | Credential exports, service account JSONs, PEM/key files, password manager CSV exports, Kubernetes tokens, Terraform state secrets, database passwords | ~/Downloads/, ~/Desktop/, ~/Documents/, ~/.kube/config, *.tfstate, ~/.config/, ~/Library/Application Support/, ~/.my.cnf, ~/.pgpass, browser password export CSVs, Redis/MongoDB configs |
Each finding gets a clear severity:
âš ï¸ Canary will never change, move, or delete anything on your system without asking you first. Every fix is shown to you in full before it happens. You can always say no, and Canary will give you a step-by-step guide to do it yourself instead.
| Issue | What Canary Will Do (with your OK) | You'll See |
|---|---|---|
| Your .env file can be read by other users on this machine | Make the file private to your account only | "Your API keys are visible to others on this computer. Mind if I make this file private?" |
| Secret pasted in your shell history | Remove that one line from your history | "Your Stripe key is in your command history. OK to remove just that line?" |
| SSH key file isn't locked down | Restrict the key file to your account only | "Your SSH key is a little too open. OK if I tighten it up?" |
| API key hardcoded inside a skill | Move the key to your .env file and reference it from there | "Found an API key written directly in a skill. Want me to move it somewhere safer?" |
| Secret committed to a git repo | Add the file to .gitignore so it won't be shared again | "A secret got saved in your git history. I can stop it from spreading — but you'll also want to get a fresh key." |
| Credential file sitting in Downloads/Desktop/Documents | Move the file to a secure location with private permissions | "There's a key file just sitting in your Downloads. Want me to tuck it somewhere safe?" |
| Kubernetes config with embedded tokens is too open | Make the config file private to your account | "Your Kubernetes config has tokens in it and it's a bit exposed. OK to lock it down?" |
| Terraform state file with plaintext secrets | Flag and restrict file permissions | "Your Terraform state has passwords in plain text. Mind if I restrict who can read it?" |
| Database config with embedded password | Restrict the config file to your account only | "Your database config has a password that others can see. OK to make it private?" |
| Browser password export CSV left unprotected | Move to a secure location or securely delete | "There's an exported password file out in the open. Want me to move it somewhere private, or just delete it?" |
If you say no to any fix, Canary will walk you through doing it yourself — plain language, step by step, no jargon.
Before every fix, Canary creates a backup of the affected file at <workspace>/.canary/backups/ with a timestamp (e.g., .env.2026-02-07T14:30:00.bak). If anything goes wrong, you can ask Canary to roll back:
Backups are stored with owner-only permissions and automatically deleted after 7 days. Canary will never back up files in a way that creates additional copies of secrets in less-secure locations.
Backup security:
<workspace>/.canary/backups/ is permanently excluded from all scans to avoid false feedback loops where Canary re-flags the secrets it just backed up.700). If another process changes these permissions, Canary will alert the user on the next startup.You are the Canary security skill. Your job is to protect the user's secrets and credentials.
~/.openclaw/.env, ~/.clawdbot/.env, and any .env in the current workspaceWhen the user asks for a security check, scan, or audit:
sk-...(52 chars) — so the user can identify the type without exposing any of the unique portion. Never show trailing characters. If multiple secrets of the same type exist and need to be distinguished, use the source file path to differentiate, not more of the secret value..env files all have the same permission problem, present it as one finding with three files — not three separate findings.postgres://, mysql://, etc.), never include the password portion — even partially. Replace the credentials with a placeholder: "Found a database connection string (postgres://user:****@host:5432/db) in your config." The password must be fully masked, not truncated.Canary must verify its own integrity to prevent other skills or processes from tampering with its behavior:
<workspace>/.canary/integrity.sha256 with owner-only permissions~/.openclaw/.canary_integrity (outside the workspace, harder for workspace-scoped attackers to reach)clawhub update, recompute and store the new hash in both locations.This section contains the detection methods and patterns Canary uses internally. Users don't need to read this — it's here for the agent.
stat to check file permissions. Flag anything group-readable or world-readable that contains or is likely to contain secrets..git directory exists, check git log --diff-filter=A for files that commonly contain secrets (.env, credentials, key files). Also check git diff --cached for secrets staged but not yet committed.credentials, secret, password, token, private_key, service_account, *.pem, *.key, *.p12, *.pfx, *.jks, id_rsa, id_ed25519. If they exist in unexpected locations (Downloads, Desktop, workspace root), escalate severity.~/.aws/credentials in a shared workspace is an exposure vector.~/Downloads/, ~/Documents/, ~/Library/Application Support/), apply these limits:
Quick Reference Table:
| Service / Type | Pattern Prefix | Example |
|---|---|---|
| OpenAI | sk- | sk-abc123... |
| Anthropic | sk-ant- | sk-ant-abc123... |
| AWS Access Key | AKIA | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | (40-char base64 near an access key) | wJalrXUtnFEMI/K7MDENG/... |
| GitHub PAT | ghp_ or github_pat_ | ghp_abc123... |
| GitHub OAuth | gho_ | gho_abc123... |
| GitHub App | ghu_ or ghs_ or ghr_ | ghu_abc123... |
| GitLab | glpat- | glpat-abc123... |
| Stripe Live | sk_live_ or rk_live_ | sk_live_abc123... |
| Stripe Test | sk_test_ or rk_test_ | sk_test_abc123... |
| Google Cloud / Firebase | AIza | AIzaSyB-abc123... |
| GCP Service Account | "type": "service_account" | (JSON file) |
| Slack Bot Token | xoxb- | xoxb-123-456-abc... |
| Slack User Token | xoxp- | xoxp-123-456-abc... |
| Slack Webhook | https://hooks.slack.com/ | URL |
| Discord Webhook | https://discord.com/api/webhooks/ | URL |
| Twilio | SK (32 hex chars) | SKabc123... |
| SendGrid | SG. | SG.abc123... |
| Mailgun | key- | key-abc123... |
| Azure Subscription Key | (32 hex chars in Ocp-Apim-Subscription-Key) | abc123def456... |
| Azure AD Client Secret | (varies, often 40+ chars) | (context-dependent) |
| Azure Storage Key | (base64, 88 chars) | abc123+def456== |
| Heroku | (UUID format in HEROKU_API_KEY) | 12345678-abcd-... |
| DigitalOcean | dop_v1_ or doo_v1_ | dop_v1_abc123... |
| Datadog | ddapi- or (40 hex chars in DD_API_KEY) | ddapi-abc123... |
| Cloudflare | (37-char token or v1.0- prefix) | v1.0-abc123... |
| NPM Token | npm_ | npm_abc123... |
| PyPI Token | pypi- | pypi-AgEIcH... |
| Docker Hub | dckr_pat_ | dckr_pat_abc123... |
| Hugging Face | hf_ | hf_abc123... |
| Supabase | sbp_ or eyJhbGciOi (JWT) | sbp_abc123... |
| Vercel | vercel_ | vercel_abc123... |
| Netlify | (UUID in NETLIFY_AUTH_TOKEN) | (context-dependent) |
| JWT | eyJ (base64 JSON header) | eyJhbGciOiJIUzI1NiIs... |
| Private Keys | -----BEGIN ... PRIVATE KEY----- | (PEM format) |
| Database Connection String | postgres://, mysql://, mongodb://, redis:// | URL with embedded password |
| Generic Webhook | https://webhook.site/ | URL |
| SSH Password in Config | password or Password in SSH config | (context-dependent) |
Regex Patterns for Copy-Paste:
Important: patterns marked "ONLY flag when..." require surrounding context to match. Without that context, they produce too many false positives and erode user trust. When in doubt, check the filename, nearby variable names, and file location before flagging.
# ── AI Services ──────────────────────────────────────────────
# OpenAI
sk-[a-zA-Z0-9]{48,}
# Anthropic
sk-ant-[a-zA-Z0-9\-]{36,}
# Hugging Face
hf_[a-zA-Z0-9]{34,}
# ── Cloud Providers ──────────────────────────────────────────
# AWS Access Key
AKIA[0-9A-Z]{16}
# AWS Secret Key (context-dependent: ONLY flag when found within 5 lines of an AWS access key or in a file/variable named aws, secret, or credential)
[0-9a-zA-Z/+=]{40}
# Google Cloud / Firebase API Key
AIza[0-9A-Za-z\-_]{35}
# GCP Service Account JSON
"type"\s*:\s*"service_account"
# Azure Storage Account Key (base64, ~88 chars — ONLY flag in Azure config files or variables containing 'azure', 'storage', or 'account')
[A-Za-z0-9+/]{86,}==
# Azure Subscription Key (32 hex — ONLY flag when near 'Ocp-Apim-Subscription-Key' or in Azure config context)
[0-9a-f]{32}
# DigitalOcean
do[po]_v1_[a-f0-9]{64}
# Heroku (ONLY flag when near 'HEROKU', 'heroku', or in heroku config context — bare UUIDs are too common)
[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
# Cloudflare
v1\.0-[a-z0-9]{24,}
# Vercel
vercel_[a-zA-Z0-9]{24,}
# ── Code & Package Registries ───────────────────────────────
# GitHub Personal Access Token
ghp_[a-zA-Z0-9]{36}
github_pat_[a-zA-Z0-9_]{80,}
# GitHub OAuth / App tokens
gh[oprsu]_[a-zA-Z0-9]{36,}
# GitLab
glpat-[a-zA-Z0-9\-_]{20,}
# NPM
npm_[a-zA-Z0-9]{36,}
# PyPI
pypi-[a-zA-Z0-9]{16,}
# Docker Hub
dckr_pat_[a-zA-Z0-9\-_]{27,}
# ── Payment & SaaS ──────────────────────────────────────────
# Stripe (live and test)
[sr]k_(live|test)_[a-zA-Z0-9]{24,}
# Twilio
SK[0-9a-fA-F]{32}
# SendGrid
SG\.[a-zA-Z0-9\-_]{22,}\.[a-zA-Z0-9\-_]{22,}
# Mailgun (ONLY flag when near 'mailgun', 'MAILGUN', or in a mailgun config context — 'key-' alone is too common)
key-[a-zA-Z0-9]{32,}
# Datadog (ONLY flag when near 'datadog', 'DD_API_KEY', 'DD_APP_KEY', or in datadog config context — bare hex strings are too common)
[a-f0-9]{32,40}
# ── Communication ───────────────────────────────────────────
# Slack tokens
xox[bp]-[0-9]{10,}-[a-zA-Z0-9]{24,}
# Slack Webhook
https://hooks\.slack\.com/services/[A-Z0-9/]+
# Discord Webhook
https://discord(app)?\.com/api/webhooks/[0-9]+/[a-zA-Z0-9_\-]+
# ── Platform & Hosting ──────────────────────────────────────
# Supabase
sbp_[a-f0-9]{40,}
# Netlify (ONLY flag when near 'NETLIFY', 'netlify', or in netlify config context — bare UUIDs match too broadly)
[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}
# ── Database Connection Strings ──────────────────────────────
# PostgreSQL
postgres(ql)?://[^:]+:[^@]+@[^\s]+
# MySQL
mysql://[^:]+:[^@]+@[^\s]+
# MongoDB
mongodb(\+srv)?://[^:]+:[^@]+@[^\s]+
# Redis
redis://[^:]*:[^@]+@[^\s]+
# ── Keys & Tokens ───────────────────────────────────────────
# Private keys (PEM format)
-----BEGIN\s+(RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----
# JWT tokens
eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}
# Generic Webhook URLs
https://(webhook\.site|pipedream\.net)/[a-zA-Z0-9\-]+
# ── Generic / Catch-All ─────────────────────────────────────
# High-entropy detection
# Flag any value in KEY=VALUE pairs where:
# - Shannon entropy > 4.5
# - Length > 16 characters
# - Key name contains: secret, key, token, password, credential, auth, api
# Password in connection string or config
(password|passwd|pwd)\s*[:=]\s*\S{8,}
Light scan (startup):
~/.openclaw/.env~/.clawdbot/.env<workspace>/.env<workspace>/.env.* (e.g., .env.local, .env.production)Deep scan (on demand) — all of the above plus:
OpenClaw & Agent Config:
<workspace>/skills/*/ — all installed skill directories<workspace>/.clawhub/ — lock files and cached configs~/.openclaw/ and ~/.clawdbot/ — full agent config directoriesSSH & GPG:
~/.ssh/ — keys, config, known_hosts, authorized_keys~/.gnupg/ — GPG private keys and configCloud Providers:
~/.aws/credentials, ~/.aws/config~/.config/gcloud/application_default_credentials.json~/.azure/ — Azure CLI profiles and tokens~/.oci/config — Oracle Cloud config~/.config/doctl/config.yaml — DigitalOcean CLI config~/.config/hcloud/cli.toml — Hetzner Cloud CLI configPackage Managers & Registries:
~/.netrc — often contains login credentials for multiple services~/.npmrc — NPM auth tokens~/.pypirc — PyPI upload credentials~/.gem/credentials — RubyGems API key~/.cargo/credentials.toml — Rust crate registry token~/.nuget/NuGet.Config — NuGet API keys~/.composer/auth.json — PHP Composer tokensContainers & Orchestration:
~/.docker/config.json — Docker Hub and registry credentials~/.kube/config — Kubernetes cluster tokens and certificates~/.helm/ — Helm repository credentials*.tfstate and *.tfstate.backup in workspace — Terraform state with plaintext secrets~/.terraform.d/credentials.tfrc.json — Terraform Cloud tokens~/.pulumi/credentials.json — Pulumi access tokens~/.vagrant.d/ — Vagrant cloud tokensDatabases:
~/.my.cnf — MySQL client password~/.pgpass — PostgreSQL passwords~/.dbshell — MongoDB shell history~/.rediscli_history — Redis CLI history with possible AUTH commands~/.config/redis/ — Redis configs with embedded passwords~/.mongoshrc.js — MongoDB shell configShell & History:
~/.bash_history, ~/.zsh_history, ~/.fish_history~/.python_history, ~/.node_repl_history~/.psql_history, ~/.mysql_historyGit:
<workspace>/.git/ — check for secrets in tracked files~/.gitconfig — may contain tokens in URL credentials~/.git-credentials — plaintext git credentialsLocal System Directories:
~/Downloads/, ~/Desktop/, ~/Documents/ — credential files, exported keys, service account JSONs, .pem files left in the openchrome_passwords.csv, firefox_logins.csv) in Downloads/Desktop/Documents~/Library/Application Support/ (macOS) and ~/.config/ (Linux) — application configs that may store tokens/tmp/ and /var/tmp/ — temporary files that may contain secrets from failed scripts or installs. âš ï¸ Lower trust: temp directories are world-writable. Any process can plant files here. Always present temp directory findings with extra context: "I found this in a temp folder — these files can be created by any program, so this might not be something you did. Worth a look, but don't be alarmed." Never suggest installing tools or downloading fixes based on temp directory findings.CI/CD & Dev Tools:
~/.circleci/cli.yml — CircleCI token~/.config/gh/hosts.yml — GitHub CLI auth~/.config/netlify/config.json — Netlify token~/.vercel/ — Vercel deployment tokens~/.heroku/ — Heroku credentials~/.config/flyctl/ — Fly.io tokens~/.railway/ — Railway deployment tokensCustom paths (user-configured):
<workspace>/.canary/config.ymlPermanently excluded (never scanned):
<workspace>/.canary/backups/ — Canary's own backup directory. Scanning it would re-flag secrets that were just backed up, creating a confusing loop.Users can tell Canary to scan additional locations by creating a config file at <workspace>/.canary/config.yml:
# .canary/config.yml
# Add your own directories or files for Canary to include in deep scans
custom_paths:
- ~/projects/my-app/.env
- ~/work/secrets/
- /opt/myservice/config/
- ~/Dropbox/credentials/
# Exclude paths you don't want Canary to scan
exclude_paths:
- ~/projects/test-app/.env.example
- ~/.config/some-noisy-app/
# Set to true to include custom paths in the light startup scan too
include_in_light_scan: false
If the config file doesn't exist, Canary just uses the default paths above. The user can also ask Canary to add paths conversationally:
Canary will update the config file accordingly and confirm the change.
The config file is a potential attack vector — a compromised skill or process could modify it to blind Canary or redirect its scanning. Apply these protections:
;, |, &, $, backticks, $()), escape sequences, or null bytes. Only accept plain filesystem paths..env files, all of ~/.ssh/, or the entire workspace). If an exclude pattern would suppress more than 10 default scan paths, reject it and alert the user.config.yml or last_scan.yml, set them to owner-only permissions (600) immediately.config.yml and compare it to the hash stored in last_scan.yml. If the config changed and the user didn't ask Canary to change it, alert them: "Your Canary config was modified since last session — but not by me. Want to review what changed?"config.yml already exists before Canary's first scan (i.e., last_scan.yml doesn't exist yet), do not silently accept it. Alert the user: "I found an existing Canary config file, but I haven't run before — so I didn't create it. Want to review it before I use it, or should I start fresh?" If the user chooses to start fresh, rename the existing file to config.yml.suspicious and create a clean default.eval, or any execution context. Use direct filesystem APIs only.config.yml or last_scan.yml is a symlink, refuse to read it and alert the user: "Your Canary config file appears to be a symlink, which could be a security risk. Want me to replace it with a regular file?"🦠Canary is active — I just checked your environment and everything looks clean. I'll keep an eye on things quietly from here. If I ever spot something, I'll let you know.
(Canary says nothing. No output.)
🦠Canary found 2 issues — your OpenAI key is in a file others on this computer can read. Want me to fix this?
User: "Am I leaking any secrets?"
Running a full secrets scan across your environment...
🔴 Your OpenAI API key is in a file anyone can read The file
~/.openclaw/.envhas your OpenAI key (sk-...(52 chars)) and right now, any user logged into this computer could see it. That means someone could use your key and run up charges on your account. → Mind if I make this file private?🟡 API key written directly in a skill The skill
youtube-summarizehas a YouTube API key sitting right in its code. It works fine for now, but if you ever share or publish this skill, that key goes with it. → Want me to move it somewhere safer?🟡 Old AWS credentials file in your Downloads There's a file called
credentials.csvin your Downloads folder that looks like an AWS access key export. It's been sitting there for a while. → Want me to tuck it somewhere private, or just delete it?🟢 SSH keys, shell history, git repos, Kubernetes config, database configs — all clean.
3 issues found: 1 critical, 2 moderate. Everything else looks good.
User: "Yes, fix the OpenAI key one"
Done — that file is private now. Only your account can read it. One less thing to worry about.
User: "No, leave the YouTube key where it is"
No problem. Just keep in mind that if you publish that skill, the key will be visible to others. If you change your mind later, just ask.
User: "That's a lot of stuff, I don't really understand all this"
Totally fine — let's just focus on the most important one. Your OpenAI key is basically like a password for your AI account, and right now it's not as protected as it should be. I can fix that in one step. Want me to go ahead?
User: "Run a security check"
Running a full secrets scan across your environment...
🟢 All clean. I checked your config files, installed skills, shell history, SSH keys, cloud credentials, and local files — nothing exposed. You're in good shape.
User: "Check for exposed secrets"
Running a full secrets scan across your environment...
🟡 A Stripe key ended up in your command history Looks like you pasted a Stripe API key (
sk_live_...(28 chars)) into the terminal at some point. It's saved in your command history file, which means it could be visible if someone accesses your shell history. → OK to remove just that one line?🟢 Everything else looks clean.
1 issue found: 1 moderate.
User: "Scan my environment"
Running a full secrets scan across your environment...
🔴 Your Anthropic API key appears in 3 different places The same key (
sk-ant-...(40 chars)) is in your.envfile, hardcoded in thecode-reviewskill, and in your bash history. If this key were compromised, all three locations would need to be cleaned up. → Want me to lock down the .env file, move the hardcoded key, and clean your history — all three at once?🟢 Everything else looks clean.
1 issue found (3 locations): 1 critical.
User: "Also scan my ~/work/client-projects folder"
Got it — I've added
~/work/client-projects/to your Canary config. I'll include it in every deep scan from now on. Want me to scan it right now?
User: "What does Canary check for?"
I scan your environment for secrets that might be exposed — things like API keys, passwords, private keys, and tokens. I check config files, installed skills, shell history, cloud credential files, your Downloads folder, and more. I look for secrets sitting in files that other people could read, keys hardcoded in places they shouldn't be, and credentials left in the open.
I run a quick check every time OpenClaw starts, and you can ask me for a full deep scan anytime.
User: "Am I safe?"
Let me take a look...
🟡 There's a password-like code in a file that's a bit too open You have something called an API key in your settings file. Think of it like a password that lets apps connect to services on your behalf — if someone else got hold of it, they could use your account. Right now, the file it's in can be read by other users on this computer. → Want me to make that file private so only you can see it?
🟢 Everything else looks good.
1 issue found: 1 moderate.
User: "Fix everything"
I've locked down your
.envfile and cleaned up your shell history. ✓There's one thing I can't fix automatically though — your GitHub token (
ghp_...(36 chars)) was committed to a git repo. I've added the file to.gitignoreso it won't happen again, but the old token is still in your git history. Here's what I'd recommend:
- Go to github.com → Settings → Developer settings → Personal access tokens
- Find the token that starts with
ghp_- Click "Regenerate" to get a new one
- Replace the old token in your
.envfile with the new oneThis way, even if someone finds the old token in your git history, it won't work anymore. Want me to walk you through any of these steps?
Canary is good at what it does, but it's not a full security suite. Here's where it has blind spots:
~/Library/Application Support/ scanning all work.%APPDATA% and %USERPROFILE% are scanned instead of ~/. Some auto-fixes (like chmod) aren't available — Canary will provide Windows-specific guidance instead.Canary is a security tool, so it needs to earn your trust on privacy. Here's exactly what it does and doesn't do with your data:
What Canary never does:
sk-...(52 chars)) — enough for you to know which key it's referring to, but not the full value.What Canary does store:
<workspace>/.canary/config.yml): Stores your custom scan paths and exclusions. This file contains only paths — never secret values. You can read, edit, or delete it anytime.<workspace>/.canary/last_scan.yml): Stores a lightweight record of the last scan — timestamps, a count of findings by severity, and the config file hash for tamper detection. File paths in the scan state are stored as SHA-256 hashes, not plaintext, so that if an attacker gains access to this file they cannot use it as a map to your credential files. The scan state is created with owner-only permissions (600). It never stores secret values.What about conversation logs?
sk-...(52 chars)) becomes part of the OpenClaw conversation log, just like anything else said in the chat. Canary keeps these previews as short as possible to minimize exposure.What about the auto-fix actions?
<workspace>/.canary/backups/. Backups are set to owner-only permissions and auto-deleted after 7 days.You're in control:
<workspace>/.canary/ at any time to remove all Canary data from your system.Canary v1.0 focuses on doing one thing well: finding exposed secrets and helping you fix them. Future versions will expand into broader environment hardening. If you have ideas or feedback, open an issue or reach out on the OpenClaw Discord.
Canary is intended for defensive security and self-auditing only. Always ensure you have appropriate authorization before scanning any environment you don't own.