OpenClaw Env Secret Scanner
Paste your .env file or auth profile values and instantly detect plaintext secrets vs. valid environment variable references. Replicates OpenClaw's secrets audit --check logic in your browser. Based on OpenClaw PR #54141 merged May 16, 2026.
Why Use the Env Secret Scanner
Catch exposed credentials before OpenClaw's audit does — or before you accidentally commit them.
Plaintext Secret Detection
Detects exposed API keys from 15+ providers including OpenAI, Anthropic, OpenRouter, AWS, GitHub, Stripe, and more using real prefix patterns.
Env-Ref Validation
Validates $VAR and ${VAR} references follow OpenClaw's required pattern — uppercase letter start with [A-Z][A-Z0-9_]* — and flags invalid lowercase refs.
High-Entropy Detection
Catches unmarked secrets without known prefixes by detecting high-entropy base64/alphanumeric strings of 32+ characters that likely represent tokens or keys.
Per-Entry Remediation
Every finding includes a concrete fix — the exact env-var reference to use as a replacement, following OpenClaw's SecretRef resolution rules.
Browser-Only Processing
Nothing leaves your machine. All scanning runs client-side in your browser — no server calls, no telemetry, no data stored anywhere except your screen.
Exportable Audit Report
Generate a structured text report with grade, findings, and remediation steps. Copy it to share with your team or paste into a PR review.
Scan Your Config
Paste KEY=VALUE pairs below. Supports .env format, YAML auth values, or bare secrets. Comments (#) are ignored.
Paste your .env, auth profile, or config values
Runs entirely in your browser — nothing is sent to any server.
Frequently Asked Questions
What is the OpenClaw secrets audit?
OpenClaw includes a built-in `secrets audit --check` command that scans auth profiles and config files for plaintext credentials. It classifies each value as a SecretRef (env-var reference), plaintext secret, or safe value. This tool replicates that logic in your browser so you can pre-check before running the real audit.
What secret patterns does this detect?
The scanner detects provider-specific prefixes including sk- (OpenAI), sk-ant- (Anthropic), sk-or-v1- (OpenRouter), xai- (Grok), gsk_ (Groq), AKIA (AWS), ghp_ (GitHub), glpat- (GitLab), SG. (SendGrid), xoxb-/xoxp- (Slack), hf_ (Hugging Face), and Stripe keys. It also flags any 32+ character alphanumeric string as a potential secret.
What's the difference between $VAR and ${VAR}?
Both are valid env-var reference syntaxes in OpenClaw. PR #54141 fixed a bug where only ${VAR} (brace syntax) was recognized — the shorthand $VAR format was incorrectly flagged as PLAINTEXT_FOUND. Both now pass audit checks as long as the variable name starts with an uppercase letter and uses only [A-Z0-9_] characters.
Why does my $lowercase ref get flagged?
OpenClaw's ENV_SECRET_TEMPLATE_RE pattern requires env-var names to start with an uppercase letter: $[A-Z][A-Z0-9_]*. References like $mySecret or $api_key are invalid and won't be resolved by the gateway. Rename them to $MY_SECRET or $API_KEY.
Is my data sent anywhere?
No. This tool runs 100% client-side in your browser using JavaScript. No network requests are made, no data is stored in cookies or localStorage, and nothing is logged. You can verify by opening your browser's Network tab while scanning.
How is the audit grade calculated?
A = no secrets and no invalid refs, B = no secrets but some invalid refs, C = pass rate ≥ 75%, D = pass rate ≥ 50%, F = pass rate below 50%. Pass rate counts valid env-refs and safe values as passing entries out of total scanned entries.
Secure Your OpenClaw Deployment
DeployClaw manages secrets, env-var injection, and audit compliance for your OpenClaw agents automatically.