← Back to Skills Marketplace
Secrets Management
by
brandonwise
· GitHub ↗
· v1.0.0
835
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install secrets-management
Description
Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.
Usage Guidance
This skill's instructions are broadly consistent with a secrets-management guide, but the registry metadata is incomplete. Before installing or following the examples: (1) treat the SKILL.md examples as templates only — do not copy dev-mode Vault with a root token into production; (2) expect to need tools and credentials not listed in metadata (vault, aws-cli, docker, jq, kubectl, terraform, and CI provider secrets like VAULT_TOKEN, AWS_ACCESS_KEY_ID/SECRET); (3) ensure any credentials you supply use least-privilege IAM roles or short-lived tokens and never paste real secrets into examples; (4) verify the skill's publisher/source (homepage is missing) and prefer packages that explicitly declare required env vars and binaries; (5) if you need to trust this skill for automation, ask the author to update metadata to list required env vars/binaries and to replace insecure examples (vault -dev with root token) with safe, production-oriented instructions.
Capability Analysis
Type: OpenClaw Skill
Name: secrets-management
Version: 1.0.0
The OpenClaw AgentSkills bundle is benign, providing comprehensive documentation and code examples for secure secrets management using various tools like HashiCorp Vault, AWS Secrets Manager, and Kubernetes External Secrets. All code snippets (shell commands, YAML, Python, HCL) are illustrative examples for setting up, integrating, rotating, and scanning secrets, aligning perfectly with the stated purpose. There is no evidence of malicious intent, data exfiltration, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent within the `SKILL.md` or `_meta.json` files. The content focuses on best practices and legitimate security tools.
Capability Assessment
Purpose & Capability
The skill's name and description (Vault, AWS Secrets Manager, CI/CD integration) align with the instructions and snippets in SKILL.md. However, the declared metadata lists no required environment variables or binaries even though the instructions repeatedly reference Vault, AWS CLI, GitHub/GitLab CI secrets, kubectl/ExternalSecrets, Terraform, docker, jq, and other tools. The tool choices are appropriate for the stated purpose, but the metadata omission is a mismatch.
Instruction Scope
The runtime instructions explicitly reference and expect secret-bearing environment variables and credentials (e.g., VAULT_TOKEN, VAULT_ADDR, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, $GITHUB_ENV, GitHub/GitLab secrets). The SKILL.md also shows commands that read/write secrets (vault kv put/get, aws secretsmanager get-secret-value, echoing secrets into $GITHUB_ENV, using add-mask), and runs containers (trufflehog) and CLIs (vault, aws, docker, jq). The metadata does not declare these dependencies, and the instructions include risky examples such as starting Vault in dev mode with a root token, which is insecure if copied to production.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing is written to disk by the skill itself. That lowers installation risk, but the guidance presumes availability of many external binaries/containers (vault, aws-cli, kubectl, terraform, docker, trufflesecurity/trufflehog image) without declaring them. Consumers must provision those tools separately; the omission is a documentation/metadata gap.
Credentials
Although the skill is about secrets, the declared registry metadata lists no required environment variables or primary credential. SKILL.md requires/uses multiple sensitive variables (VAULT_TOKEN, VAULT_ADDR, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, $VAULT_TOKEN in CI, etc.). The skill should have declared these expected env vars in metadata and explained least-privilege requirements. As-is, there's a mismatch between the sensitivity of what's used and what the package declares.
Persistence & Privilege
The skill does not request always:true and does not include install hooks or code that would persist in the agent. It is user-invocable and permits model invocation (the platform default), which is appropriate for this kind of guidance-only skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install secrets-management - After installation, invoke the skill by name or use
/secrets-management - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Vault, AWS Secrets Manager, K8s External Secrets, rotation patterns
Metadata
Frequently Asked Questions
What is Secrets Management?
Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools. It is an AI Agent Skill for Claude Code / OpenClaw, with 835 downloads so far.
How do I install Secrets Management?
Run "/install secrets-management" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Secrets Management free?
Yes, Secrets Management is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Secrets Management support?
Secrets Management is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Secrets Management?
It is built and maintained by brandonwise (@brandonwise); the current version is v1.0.0.
More Skills