← Back to Skills Marketplace
366
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install secret-safe
Description
Secure API key and secrets management for agent skills. Use this skill whenever a task requires authenticating with an external service, reading or writing A...
Usage Guidance
This is a documentation-only skill that teaches reasonable secret-handling patterns; it's coherent and low-risk. Before relying on its examples, consider a small tweak: avoid expanding secrets into command-line arguments (they can appear in process listings). Prefer injecting values into the subprocess environment (exported env) or use tools/CLI options that read secrets from stdin or environment rather than placing them in argv. If you embed these patterns in a real skill, ensure you add explicit requires.env frontmatter and avoid echoing or printing secrets anywhere.
Capability Analysis
Type: OpenClaw Skill
Name: secret-safe
Version: 1.0.0
This skill bundle, 'secret-safe', is entirely dedicated to promoting and enforcing secure credential handling practices within the OpenClaw ecosystem. All files (SKILL.md, audit-checklist.md, env-injection-examples.md) provide comprehensive documentation, examples, and checklists for preventing API key and secret leaks. The instructions explicitly warn against common vulnerabilities like echoing secrets, storing them in logs, or asking users to paste them into chat. There is no evidence of malicious intent, data exfiltration, unauthorized execution, or prompt injection designed to compromise the agent or user; instead, the skill aims to educate and protect against such risks.
Capability Assessment
Purpose & Capability
Name and description match the content: the skill is an instructional guide for secure secret handling. It declares no env requirements, no installs, and provides patterns for other skills to adopt. There are no unrelated credentials, binaries, or install steps requested.
Instruction Scope
SKILL.md stays within its stated scope (environment injection, secrets manager wrappers, and audit checklists). It explicitly warns against pasting secrets into chat, logging secrets, or dumping env files. One small inconsistency: the 'safe curl' example uses shell variable expansion inside a header argument (MY_SERVICE_API_KEY="$MY_SERVICE_API_KEY" curl -H "Authorization: Bearer $MY_SERVICE_API_KEY" ...). Expanding secrets into command arguments can expose them via process listings on some systems (ps). The skill does elsewhere warn about positional args and set -x; overall the guidance is good but the example could be tightened to avoid potential process-argv exposure.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes install risk; nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials itself (it is a template/guide). Where it suggests requires.env entries for other skills, those are appropriate and proportional to the described integrations (OpenAI, GitHub, AWS, etc.). There are no unexplained secret or config path requests.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It only provides guidance and recommended patterns; no privileged behavior is requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install secret-safe - After installation, invoke the skill by name or use
/secret-safe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Secret-safe 1.0.0
- Introduces a comprehensive skill for secure API key and secret management in agent skills.
- Provides strict rules to prevent secrets from ever appearing in LLM context, logs, or file artifacts.
- Offers safe implementation patterns, including environment variable injection and secrets manager usage.
- Details auditing guidance and self-checklists for skill safety reviews.
- Includes reference materials for popular API workflows and security audits.
Metadata
Frequently Asked Questions
What is Secret's Safe?
Secure API key and secrets management for agent skills. Use this skill whenever a task requires authenticating with an external service, reading or writing A... It is an AI Agent Skill for Claude Code / OpenClaw, with 366 downloads so far.
How do I install Secret's Safe?
Run "/install secret-safe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Secret's Safe free?
Yes, Secret's Safe is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Secret's Safe support?
Secret's Safe is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Secret's Safe?
It is built and maintained by BryceXBT (@brycexbt); the current version is v1.0.0.
More Skills