Skip to content

Replace credential extraction guidance in SKILL.md with safer token setup #10

Description

@blink-claw-bot

Problem

docs/SKILL.md currently suggests checking git config for a Forgejo password:

grep -o 'https://[^:]*:[^@]*@' ~/.openclaw/workspace/.git/config | head -1

That teaches agents to scrape credentials from git remotes and risks printing secrets into logs or transcripts.

Suggested behavior

Avoid any instructions that extract or display passwords/tokens from git config. Prefer explicit token provisioning through environment variables, a secret manager, or an interactive human-provided token.

Implementation hints

Replace that section with a flow that assumes FORGEJO_TOKEN is provided out-of-band and never printed:

export FORGEJO_TOKEN=...
mkdir -p ~/.config/tea
python3 -c 'import os, pathlib; p=pathlib.Path.home()/".config/tea/config.yml"; p.write_text("logins:
  - name: olymp
    url: https://forgejo.tail593e12.ts.net
    token: %s
    default: true
" % os.environ["FORGEJO_TOKEN"])'
unset FORGEJO_TOKEN

The exact implementation can vary, but the docs should avoid commands that print or scrape stored credentials.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions