NC-AUTH-002
No API tokens in workspace files
What this checks
Scans workspace files for exposed API tokens and credentials.
Why it matters
API tokens in workspace files can be accidentally committed to version control or accessed by unauthorized users.
How to fix it
Move API tokens to environment variables or a secrets manager. See: https://clawvitals.io/docs/NC-AUTH-002
Technical details
| Field | Value |
|---|---|
| Control ID | NC-AUTH-002 |
| Domain | AUTH |
| Severity | High |
| Status | Experimental |
| Data source | workspace_scan |
| Source type | derived |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
| OWASP LLM 2025 | LLM02: Sensitive Information Disclosure |
False positive notes
May match non-token strings that look like tokens. Higher false-positive risk than authoritative checks.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-AUTH-002 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.