Problem
docs/SKILL.md currently suggests checking git config for a Forgejo password:
grep -o 'https://[^:]*:[^@]*@' ~/.openclaw/workspace/.git/config | head -1
That teaches agents to scrape credentials from git remotes and risks printing secrets into logs or transcripts.
Suggested behavior
Avoid any instructions that extract or display passwords/tokens from git config. Prefer explicit token provisioning through environment variables, a secret manager, or an interactive human-provided token.
Implementation hints
Replace that section with a flow that assumes FORGEJO_TOKEN is provided out-of-band and never printed:
export FORGEJO_TOKEN=...
mkdir -p ~/.config/tea
python3 -c 'import os, pathlib; p=pathlib.Path.home()/".config/tea/config.yml"; p.write_text("logins:
- name: olymp
url: https://forgejo.tail593e12.ts.net
token: %s
default: true
" % os.environ["FORGEJO_TOKEN"])'
unset FORGEJO_TOKEN
The exact implementation can vary, but the docs should avoid commands that print or scrape stored credentials.
Problem
docs/SKILL.mdcurrently suggests checking git config for a Forgejo password:That teaches agents to scrape credentials from git remotes and risks printing secrets into logs or transcripts.
Suggested behavior
Avoid any instructions that extract or display passwords/tokens from git config. Prefer explicit token provisioning through environment variables, a secret manager, or an interactive human-provided token.
Implementation hints
Replace that section with a flow that assumes
FORGEJO_TOKENis provided out-of-band and never printed:The exact implementation can vary, but the docs should avoid commands that print or scrape stored credentials.