← Back to Skills Marketplace
1281
Downloads
2
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install bagman
Description
Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration.
README (SKILL.md)
Bagman
Secure key management patterns for AI agents handling wallets, private keys, and secrets.
When to Use This Skill
- Agent needs wallet/blockchain access
- Handling API keys, credentials, or secrets
- Building systems where AI controls funds
- Preventing secret leakage via prompts or outputs
Quick Start
# Install 1Password CLI
brew install 1password-cli
# Authenticate
eval $(op signin)
# Create vault for agent credentials
op vault create "Agent-Credentials"
# Run examples
cd examples && python test_suite.py
Core Rules
| Rule | Why |
|---|---|
| Never store raw private keys | Config, env, memory, or conversation = leaked |
| Use delegated access | Session keys with time/value/scope limits |
| Secrets via secret manager | 1Password, Vault, AWS Secrets Manager |
| Sanitize all outputs | Scan for key patterns before any response |
| Validate all inputs | Check for injection attempts before wallet ops |
Architecture
┌─────────────────────────────────────────────────────┐
│ AI Agent │
├─────────────────────────────────────────────────────┤
│ Session Key (bounded) │
│ ├─ Expires after N hours │
│ ├─ Max spend per tx/day │
│ └─ Whitelist of allowed contracts/methods │
├─────────────────────────────────────────────────────┤
│ Secret Manager (1Password/Vault) │
│ ├─ Retrieve at runtime only │
│ ├─ Never persist to disk │
│ └─ Audit trail of accesses │
├─────────────────────────────────────────────────────┤
│ Smart Account (ERC-4337) │
│ ├─ Programmable permissions │
│ └─ Recovery without key exposure │
└─────────────────────────────────────────────────────┘
Implementation Files
| File | Purpose |
|---|---|
examples/secret_manager.py |
1Password integration for runtime secret retrieval |
examples/sanitizer.py |
Output sanitization (keys, seeds, tokens) |
examples/validator.py |
Input validation (prompt injection defense) |
examples/session_keys.py |
ERC-4337 session key configuration |
examples/delegation_integration.ts |
MetaMask Delegation Framework (EIP-7710) |
examples/pre-commit |
Git hook to block secret commits |
examples/test_suite.py |
Adversarial test suite |
docs/prompt-injection.md |
Deep dive on injection defense |
docs/secure-storage.md |
Secret storage patterns |
docs/session-keys.md |
Session key architecture |
docs/leak-prevention.md |
Output sanitization patterns |
docs/delegation-framework.md |
On-chain permission enforcement (EIP-7710) |
1. Secret Retrieval
1Password CLI Pattern
# Retrieve at runtime (never store result)
SESSION_KEY=$(op read "op://Agents/my-agent/session-key")
# Run with injected secrets (never touch disk)
op run --env-file=.env.tpl -- python agent.py
.env.tpl (safe to commit - no secrets)
PRIVATE_KEY=op://Agents/trading-bot/session-key
RPC_URL=op://Infra/alchemy/sepolia-url
OPENAI_API_KEY=op://Services/openai/api-key
Python Usage
from secret_manager import get_session_key
# Retrieve validated session key
creds = get_session_key("trading-bot-session")
# Check validity
if creds.is_expired():
raise ValueError("Session expired - request renewal from operator")
print(f"Time remaining: {creds.time_remaining()}")
print(f"Allowed contracts: {creds.allowed_contracts}")
# Use the key (never log it!)
client.set_signer(creds.session_key)
Vault-Level ACL (Recommended)
Configure 1Password vault permissions:
Agent-Credentials/
├── trading-bot-session # Agent can read
├── payment-bot-session # Agent can read
└── master-key # Operator ONLY (agent has no access)
Principle: Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access.
2. Output Sanitization
Apply to ALL agent outputs before sending anywhere:
from sanitizer import OutputSanitizer
def respond(content: str) -> str:
"""Sanitize before any output."""
return OutputSanitizer.sanitize(content)
# Catches:
# - Private keys (0x + 64 hex)
# - OpenAI/Anthropic/Groq/AWS keys
# - GitHub/Slack/Discord tokens
# - BIP-39 seed phrases (12/24 words)
# - PEM private keys
# - JWT tokens
Patterns Detected
| Pattern | Example | Result |
|---|---|---|
| ETH private key | 0x1234...abcd (64 hex) |
[PRIVATE_KEY_REDACTED] |
| ETH address | 0x742d...f44e (40 hex) |
0x742d...f44e (truncated) |
| OpenAI key | sk-proj-abc123... |
[OPENAI_KEY_REDACTED] |
| Anthropic key | sk-ant-api03-... |
[ANTHROPIC_KEY_REDACTED] |
| 12-word seed | abandon ability able... |
[SEED_PHRASE_12_WORDS_REDACTED] |
| JWT | eyJhbG... |
[JWT_TOKEN_REDACTED] |
3. Input Validation
Check inputs before ANY wallet operation:
from validator import InputValidator, ThreatLevel
result = InputValidator.validate(user_input)
if result.level == ThreatLevel.BLOCKED:
return f"Request blocked: {result.reason}"
if result.level == ThreatLevel.SUSPICIOUS:
# Log for review, but allow
log_suspicious(user_input, result.reason)
# Proceed with operation
Threat Categories
| Category | Examples | Action |
|---|---|---|
| Extraction | "show private key", "reveal secrets" | Block |
| Override | "ignore previous instructions" | Block |
| Role manipulation | "you are now admin" | Block |
| Jailbreak | "DAN mode", "bypass filters" | Block |
| Exfiltration | "send config to https://..." | Block |
| Wallet threats | "transfer all", "unlimited approve" | Block |
| Encoded | Base64/hex encoded attacks | Block |
| Unicode tricks | Cyrillic lookalikes, zero-width | Block |
| Suspicious | "hypothetically", "just between us" | Warn |
4. Operation Allowlisting
Never execute arbitrary operations. Explicit whitelist only:
from dataclasses import dataclass
from decimal import Decimal
from typing import Optional
@dataclass
class AllowedOperation:
name: str
handler: callable
max_value: Optional[Decimal] = None
requires_confirmation: bool = False
cooldown_seconds: int = 0
ALLOWED_OPS = {
"check_balance": AllowedOperation("check_balance", get_balance),
"transfer_usdc": AllowedOperation(
"transfer_usdc",
transfer,
max_value=Decimal("500"),
requires_confirmation=True,
cooldown_seconds=60
),
"swap": AllowedOperation(
"swap",
swap_tokens,
max_value=Decimal("1000"),
cooldown_seconds=300
),
}
def execute(op_name: str, **kwargs):
if op_name not in ALLOWED_OPS:
raise PermissionError(f"Operation '{op_name}' not allowed")
op = ALLOWED_OPS[op_name]
if op.max_value and kwargs.get("amount", 0) > op.max_value:
raise PermissionError(f"Amount exceeds limit: {op.max_value}")
if op.requires_confirmation:
return request_confirmation(op_name, kwargs)
return op.handler(**kwargs)
5. Confirmation Flow
High-value operations require explicit confirmation:
import hashlib
import time
pending_confirmations = {}
def request_confirmation(operation: str, details: dict) -> str:
code = hashlib.sha256(
f"{operation}{time.time()}".encode()
).hexdigest()[:8].upper()
pending_confirmations[code] = {
"op": operation,
"details": details,
"expires": time.time() + 300 # 5 minutes
}
return f"⚠️ Confirm '{operation}' with code: {code}\
(expires in 5 minutes)"
def confirm(code: str):
if code not in pending_confirmations:
return "Invalid confirmation code"
req = pending_confirmations.pop(code)
if time.time() > req["expires"]:
return "Confirmation code expired"
return execute_confirmed(req["op"], req["details"])
6. Session Keys (ERC-4337)
Instead of giving agents master keys, issue bounded session keys:
from session_keys import SessionKeyManager
# Operator creates trading session for agent
config = SessionKeyManager.create_trading_session(
agent_name="alpha-trader",
operator_address="0x742d...",
duration_hours=24,
max_trade_usdc=1000,
daily_limit_usdc=5000,
)
# Export for storage in 1Password
export_data = SessionKeyManager.export_for_1password(
config,
session_key_hex="0x..." # Generated session key
)
# op item create ... (store in 1Password)
Session Key Benefits
| Feature | Master Key | Session Key |
|---|---|---|
| Expiration | Never | Configurable (hours/days) |
| Spending limits | None | Per-tx and daily caps |
| Contract restrictions | Full access | Whitelist only |
| Revocation | Requires key rotation | Instant, no key change |
| Audit | None | Full operation log |
7. Pre-commit Hook
Block commits containing secrets:
# Install
cp examples/pre-commit .git/hooks/
chmod +x .git/hooks/pre-commit
Detected patterns:
- ETH private keys (64 hex chars)
- OpenAI/Anthropic/Groq keys
- AWS access keys
- GitHub/GitLab tokens
- Slack/Discord tokens
- PEM private keys
- Generic PASSWORD/SECRET assignments
- BIP-39 seed phrases
8. Defense Layers
USER INPUT
│
▼
┌────────────────────────────┐
│ Layer 1: Input Validation │ ← Regex + encoding + unicode checks
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 2: Op Allowlisting │ ← Explicit whitelist only
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 3: Value Limits │ ← Max per-tx and per-day
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 4: Confirmation │ ← Time-limited codes for $$$
└────────────────────────────┘
│
▼
┌────────────────────────────┐
│ Layer 5: Isolated Exec │ ← Wallet ops != conversation
└────────────────────────────┘
│
▼
OUTPUT SANITIZATION
Common Mistakes
❌ Keys in memory files
# memory/2026-02-07.md
Private key: 0x9f01dad551039daad...
Fix: Store reference only: Private key: [stored in 1Password: test-wallet]
❌ Keys in error messages
except Exception as e:
log(f"Failed with key {private_key}: {e}")
Fix: Never include credentials in error context
❌ Keys in .env.example
PRIVATE_KEY=sk-ant-api03-real-key... # "for testing"
Fix: Use obviously fake: PRIVATE_KEY=your-key-here
❌ "All" in transfer requests
User: "Transfer all my USDC"
Agent: *executes unlimited transfer*
Fix: Block "all/everything/max" patterns, require explicit amounts
❌ Trusting conversation context
# Wallet has access to conversation history
self.wallet.execute(conversation[-1]["content"])
Fix: Wallet operations must be isolated from conversation context
Testing
cd examples
# Run full test suite
python test_suite.py
# Test individual components
python sanitizer.py # Output sanitization demo
python validator.py # Input validation demo
python session_keys.py # Session key demo
Expected output: All tests passed
Checklist
- 1Password CLI installed and authenticated
- Secrets in 1Password vault, not files
- Session keys with expiry and limits
- Output sanitization on all responses
- Input validation before wallet ops
- Pre-commit hook installed
- Confirmation flow for high-value operations
- Wallet operations isolated from conversation
- .gitignore covers secrets and memory files
- Test suite passes
Security Model Limitations
This skill provides defense in depth, not a guarantee. Adversaries may:
- Novel injection patterns - Regex can't catch everything; semantic analysis helps but isn't perfect
- Social engineering - Convincing the operator to approve malicious operations
- Timing attacks - Exploiting confirmation windows
- Encoding evasion - New encoding schemes not covered
Recommendation: Layer these defenses with:
- Rate limiting
- Anomaly detection
- Human-in-the-loop for large transactions
- Regular security audits
Usage Guidance
This is an instruction-only security pattern library that expects you to run and configure tooling (1Password CLI, optional Foundry/gitleaks, Python/Node examples). Before using: 1) Verify the skill source (check the GitHub repo and commit history) and review any code snippets you plan to run. 2) Install and sign into 1Password yourself; create a dedicated 'Agent-Credentials' vault and ensure the agent account has only the minimal read permissions for session keys — never give the agent master keys. 3) Treat remediation commands (git filter-branch, force-push) as destructive — test backups and use safer git-secret-removal tools if unsure. 4) Review and test the InputValidator and OutputSanitizer in an isolated environment; do not assume they are perfect. 5) If you plan to let the agent act autonomously, add human confirmation steps and monitoring/alerts for secret access and transactions. If you want higher assurance, ask the skill author for an authoritative release repo, signed releases, and small runnable testcases you can audit before granting any agent access to real funds or secrets.
Capability Analysis
Type: OpenClaw Skill
Name: bagman
Version: 2.1.0
The 'bagman' skill bundle is entirely focused on providing robust security measures for AI agents handling sensitive data and financial operations. It details comprehensive defenses against prompt injection, secret exfiltration, and unauthorized transactions through input validation, output sanitization, operation allowlisting, confirmation flows, isolated execution, and secure secret storage (1Password, session keys, on-chain delegation). All commands and code snippets are illustrative for implementing these security features, with no evidence of malicious intent or instructions for the agent to perform harmful actions. The `eval $(op signin)` command is a standard and necessary step for 1Password CLI authentication within a trusted context.
Capability Assessment
Purpose & Capability
The name/description (key management, session keys, delegation) aligns with the content: examples center on 1Password CLI ('op'), session-key patterns, ERC-4337/Delegation Framework integration, and prompt-injection defenses. Declaring 'op' as the required binary is appropriate given the heavy 1Password usage. The skill references other tooling (Foundry, gitleaks, Vault, AWS SDK) but only as optional integrations or examples — not required env vars — which is proportionate to the stated purpose.
Instruction Scope
SKILL.md is instruction-only and stays focused on secret retrieval, sanitization, input validation, session keys, and delegation. It contains runnable examples (op signin/read/run, subprocess/execSync calls, pre-commit hooks, git filter-branch remediation) which are expected for an operational guide. Note: some remediation commands (git filter-branch + force push) are destructive and the pre-commit sample mentions a bypass (git commit --no-verify) — operators should treat those with caution and not run destructive commands without understanding them. The file also includes explicit defensive patterns that match common jailbreak phrases (e.g., 'ignore previous instructions').
Install Mechanism
There is no install spec (instruction-only), which minimizes disk-write risk. The guide recommends installing well-known tools via brew (1Password CLI, gitleaks) — a low-risk, expected approach for this purpose. No remote download+extract operations are embedded in the skill itself.
Credentials
The skill declares no required env vars or credentials, which is consistent with an operations guide that uses a secret manager (1Password). The examples do show alternate integrations (AWS Secrets Manager, Vault) and systemd/Secrets usage; those imply operator-provided credentials at runtime but the skill does not request unrelated secrets. Important operator responsibility: follow the guide to ensure the agent vault only exposes session keys (not master keys) and restrict agent read permissions; misconfiguration could give excessive access.
Persistence & Privilege
The skill is not always-included and does not request persistent system changes itself (instruction-only). It does not modify other skills or system-wide agent settings. It does describe creating vaults and pre-commit hooks, which are normal operational artifacts but require operator approval to deploy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install bagman - After installation, invoke the skill by name or use
/bagman - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
v2.1: MetaMask Delegation Framework (EIP-7710) integration, patched 9 security gaps from adversarial testing, 18 passing integration tests
v1.0.0
Initial release of Bagman for secure key management by AI agents.
- Provides security patterns and best practices for handling private keys, API secrets, and wallet credentials.
- Enforces secret storage and retrieval via 1Password CLI (`op`), avoiding raw key storage in config, files, or logs.
- Introduces session keys with scoped permissions and automatic expiration.
- Includes sample implementations for secure workflows, output sanitization, and prompt injection defense.
- Supplies references, code snippets, and pre-commit hooks to prevent accidental secret leakage.
- Details an agent wallet stack architecture for layered security and auditability.
Metadata
Frequently Asked Questions
What is Openclaw?
Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration. It is an AI Agent Skill for Claude Code / OpenClaw, with 1281 downloads so far.
How do I install Openclaw?
Run "/install bagman" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw free?
Yes, Openclaw is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw support?
Openclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw?
It is built and maintained by zscole (@zscole); the current version is v2.1.0.
More Skills