Secret Portal

Spin up a one-time web UI for securely entering secret keys and env vars. Supports guided instructions, single-key mode, and cloudflared tunneling.

This skill is a coherent wrapper for an external tool (uv) that will run a one‑time secret entry UI and write secrets to a file. Before installing or using it: 1) Verify the 'uv' CLI and the referenced GitHub project (https://github.com/Olafs-World/secret-portal) — inspect the code or the package source so you know what will run. 2) Confirm how 'cloudflared' (or any tunnel binary) is downloaded and from which URL; prefer tooling that pulls releases from official, signed sources. 3) Choose the env-file path deliberately (avoid world-readable locations) and consider using a temporary VM/container or ephemeral workspace to limit exposure. 4) If you cannot audit the external binaries, avoid passing high‑value secrets (production API keys) to this flow. 5) If you need stronger guarantees about logging/exfiltration, require cryptographic verification of binaries or use a known audited tool instead.

Type: OpenClaw Skill Name: secret-portal Version: 0.1.0 The skill bundle is classified as benign. The `SKILL.md` describes a tool for securely collecting user-entered secrets via a temporary web UI and saving them to a local file. It explicitly states security measures like one-time use, token authentication, `600` file permissions, and not logging secrets to stdout/stderr. The installation process uses `brew` for `uv`, and tunneling options like `cloudflared` are legitimate tools used for the stated purpose of making the local web UI accessible. There is no evidence of data exfiltration of existing system secrets, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation.