← Back to Skills Marketplace
maverick-software

Vault Enhancements w/ UI

by maverick-software · GitHub ↗ · v3.0.0
cross-platform ✓ Security Clean
768
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install api-key-ui-tab
Description
Vault-backed API Keys management for OpenClaw. Secure file-based secret storage with one-click migration from plaintext config, dynamic key discovery, vault...
README (SKILL.md)

Vault Enhancements w/ UI v3.0.0

Vault-backed API key management for the OpenClaw Control dashboard. Keys are stored in a secure file (~/.openclaw/secrets.json, mode 0600) and referenced via OpenClaw's built-in Secrets System. The AI agent never sees your keys.

Status: ✅ Active

Component Status
Vault File Storage ✅ Working
Secret References (SecretRef) ✅ Working
Dynamic Key Discovery ✅ Working
One-Click Migration ✅ Working
Plugin-Registered Tab ✅ Working
Vault Status Banner ✅ Working
Key Status Badges ✅ Working
Vault-Only Keys Section ✅ Working
Manual "+ Add Secret" Form ✅ Working
Restart Notification Banner ✅ Working
Skills Vault Key Selector ✅ Working
Skills Inline Key Creation ✅ Working
Auth Profiles Display ✅ Working

Features

1. Vault-Backed Storage

Keys are stored in ~/.openclaw/secrets.json (file permissions 0600). When you save a key, the UI:

  1. Writes the value to the vault file
  2. Configures the file secret provider in openclaw.json (if not already present)
  3. Replaces the plaintext config value with a SecretRef object
  4. Shows a restart notification — user must restart gateway for changes to take effect

Config before migration:

{
  "env": {
    "OPENAI_API_KEY": "sk-proj-abc123..."
  }
}

Config after migration:

{
  "env": {
    "OPENAI_API_KEY": { "source": "file", "provider": "default", "id": "/OPENAI_API_KEY" }
  },
  "secrets": {
    "providers": {
      "default": { "source": "file", "path": "~/.openclaw/secrets.json", "mode": "json" }
    },
    "defaults": { "file": "default" }
  }
}

Vault file (~/.openclaw/secrets.json):

{
  "OPENAI_API_KEY": "sk-proj-abc123..."
}

2. One-Click Migration

The "🔒 Migrate to Vault" button appears when plaintext keys are detected. It:

  • Scans openclaw.json for all plaintext API key values
  • Moves each to the vault file
  • Replaces with SecretRef objects in config
  • Auto-configures the file provider if needed
  • Reports what was migrated

3. Dynamic Key Discovery

The UI automatically scans the entire config for API keys — no hardcoded list.

Detection patterns: apiKey, api_key, token, secret, *_KEY, *_TOKEN, *_SECRET

Where it looks:

  • env.* — Environment variables
  • skills.entries.*.apiKey — Skill-specific keys
  • messages.tts.*.apiKey — TTS provider keys
  • Any nested config path

Known providers get friendly names, descriptions, and "Get key ↗" links:

Provider Env Key
Anthropic ANTHROPIC_API_KEY
OpenAI OPENAI_API_KEY
Google / Gemini GOOGLE_API_KEY / GEMINI_API_KEY
Brave Search BRAVE_API_KEY
ElevenLabs ELEVENLABS_API_KEY
Deepgram DEEPGRAM_API_KEY
OpenRouter OPENROUTER_API_KEY
Groq GROQ_API_KEY
Fireworks FIREWORKS_API_KEY
Mistral MISTRAL_API_KEY
xAI (Grok) XAI_API_KEY
Perplexity PERPLEXITY_API_KEY
GitHub GITHUB_TOKEN
Hume AI HUME_API_KEY / HUME_SECRET_KEY

4. Vault Status Banner

Top of the page shows:

  • 🔒 Vault Active (green) — All keys in vault, provider configured
  • ⚠️ X Plaintext Keys Detected (yellow) — Migration recommended

5. Key Status Badges

Each key row shows:

  • VAULT (green) — Stored in secure vault file
  • PLAINTEXT (yellow) — Still in config as raw string
  • NOT SET (grey) — Not configured

6. Vault-Only Keys Section

Keys stored in the vault that aren't referenced by any config path are displayed in a dedicated "Vault-Only Keys" card. These are keys created manually or by skills that don't have a corresponding env/config entry. Each shows:

  • 🔒 icon with the key name (monospace)
  • Masked value preview
  • Delete button

7. Manual "+ Add Secret" Form

The Vault tab header includes a "+ Add Secret" button that expands an inline form:

  • KEY_NAME input (monospace, UPPER_SNAKE_CASE recommended)
  • Secret value input (password field)
  • Save / Cancel buttons
  • Writes to vault with envEntry: false — no config entry created, no restart triggered
  • Key appears immediately in the "Vault-Only Keys" section

8. Restart Notification Banner

When a vault write triggers a config change, a yellow warning banner appears:

⚠ New secrets require a gateway restart to take effect. [Restart Now]

The banner persists until the user clicks "Restart Now" or refreshes. This replaces the previous auto-reload behavior that caused unexpected gateway restarts.

9. Skills Vault Key Selector

On the Skills tab, skills that declare a primaryEnv get a vault key selector instead of a raw password input:

When unlinked:

  • Dropdown shows all vault keys with 🔒 icons
  • "Select vault key for ENV_NAME…" placeholder
  • Selecting a key writes a SecretRef to skills.entries.\x3Ckey>.apiKey in config
  • "+ Add new vault key…" option opens inline creation form

When linked:

  • Shows 🔒 KEY_NAME with an "Unlink" button
  • Unlink removes the SecretRef from config

Inline key creation:

  • KEY_NAME + Secret value fields
  • "Save & Link" creates the vault key and links it to the skill in one step
  • Key also appears in the Vault tab's vault-only keys section

10. Skills Expanded by Default

All skill groups (workspace, built-in, managed) render expanded (\x3Cdetails open>) for better discoverability. Previously workspace and built-in were collapsed by default.

11. Auth Profiles Display

Auth profile keys (from auth-profiles.json) that are stored in the vault are listed with their status. Backend RPCs support listing, error reset, and deletion.

Architecture

Security Model

┌──────────────────────────────────────────────────────────┐
│  Browser                                                  │
│  ┌──────────────────────────────────────────────────┐    │
│  │  Vault Tab                                        │    │
│  │  ┌──────────────────────────────────────────┐    │    │
│  │  │ OpenAI: [••••••••••] [Save] [✕]  🟢VAULT │    │    │
│  │  │ Anthropic: [        ] [Save]     ⚪NOT SET│    │    │
│  │  │ + Add Secret  [KEY_NAME] [value] [Save]   │    │    │
│  │  └──────────────────────────────────────────┘    │    │
│  │                                                   │    │
│  │  Skills Tab                                       │    │
│  │  ┌──────────────────────────────────────────┐    │    │
│  │  │ whisper-api: 🔒 OPENAI_API_KEY  [Unlink] │    │    │
│  │  │ sag:         [Select vault key ▾]         │    │    │
│  │  └──────────────────────────────────────────┘    │    │
│  └──────────────────────────────────────────────────┘    │
│                           │                               │
│                           ▼ (direct RPC, not via agent)   │
└───────────────────────────┼───────────────────────────────┘
                            │
                    ┌───────▼───────┐
                    │   Gateway     │
                    │ secrets.write │
                    │ skills.update │
                    └──┬─────────┬──┘
                       │         │
              ┌────────▼──┐  ┌──▼────────────┐
              │ secrets.   │  │ openclaw.json  │
              │ json       │  │ (SecretRef     │
              │ (0600)     │  │  objects only) │
              └────────────┘  └────────────────┘

Backend RPCs

Method Description
secrets.status Vault file status, key count, plaintext count
secrets.list List secret IDs with masked values
secrets.write Store key in vault + optionally update config with SecretRef. envEntry param (default true) controls whether an env block entry is created. Returns restartNeeded flag instead of auto-reloading.
secrets.delete Remove from vault + config
secrets.migrate Batch-migrate all plaintext keys to vault
secrets.authProfiles.list List auth profile keys with vault status
secrets.authProfiles.resetErrors Reset auth profile error state
secrets.authProfiles.delete Delete an auth profile
skills.update Updated with vaultKeyId param — writes a SecretRef to skills.entries.\x3Ckey>.apiKey or unlinks (empty string)

Skills-Status Integration

SkillStatusEntry includes a vaultKeyId field that reads the raw config JSON (not the runtime-resolved config where SecretRefs are replaced with resolved strings). This is done via extractVaultKeyIdFromConfig() which reads and caches openclaw.json directly, checking for SecretRef objects in skills.entries.\x3Ckey>.apiKey.

Restart Behavior

No auto-restart on vault save. Previously, secrets.write called reloadSecrets() which could trigger a gateway restart. Now:

  • Vault-only saves (envEntry: false) don't touch config — no restart needed
  • Config-touching saves return restartNeeded: true — UI shows a restart banner
  • Skills vault linking writes to config via writeConfigFile() — triggers the config file watcher which causes a gateway restart (inherent to the config watcher system)

OpenClaw Secrets System Integration

This skill uses OpenClaw's built-in Secrets System (src/secrets/):

  • File provider: { source: "file", path: "~/.openclaw/secrets.json", mode: "json" }
  • SecretRef format: { source: "file", provider: "default", id: "/\x3CKEY_NAME>" }
  • Runtime resolution: prepareSecretsRuntimeSnapshot() resolves all refs at gateway startup
  • Security: File permissions checked (0600), ownership verified, path guards

The secrets system also supports env and exec providers for advanced setups (e.g., environment variables, external vault commands). The file provider is the default for this UI.

Files Modified (Source Locations in OpenClaw Repo)

File Purpose
src/gateway/server-methods/secrets.ts Vault RPCs (status, list, write, delete, migrate, authProfiles)
src/gateway/server-methods/skills.ts Skills update with vaultKeyId param
src/gateway/server-methods/plugins-ui.ts Plugin view registration
src/gateway/protocol/schema/agents-models-skills.ts vaultKeyId in SkillsUpdateParamsSchema
src/agents/skills-status.ts vaultKeyId field on SkillStatusEntry, raw config reader
ui/src/ui/controllers/apikeys.ts Vault-aware state, addVaultSecret, loadVaultOnlyKeys
ui/src/ui/controllers/skills.ts VaultKeyEntry type, loadVaultKeys, linkSkillToVaultKey, addVaultKeyAndLink
ui/src/ui/views/apikeys.ts Vault UI (banners, badges, migration, add form, vault-only keys, restart banner)
ui/src/ui/views/skills.ts Vault key selector dropdown, inline creation, expanded groups
ui/src/ui/app.ts State properties (vault, restart, skill key management)
ui/src/ui/app-render.ts Prop wiring for vault and skills
ui/src/ui/app-settings.ts Tab load triggers for vault keys
ui/src/ui/types.ts vaultKeyId on SkillStatusEntry
ui/src/ui/navigation.ts Vault tab (lock icon), removed 1password/discord standalone tabs

Reference Files

apikeys-ui/
├── SKILL.md                              # This file
├── INSTALL_INSTRUCTIONS.md               # Step-by-step installation (legacy)
└── reference/
    ├── apikeys-controller.ts             # UI controller (vault tab)
    ├── apikeys-views.ts                  # UI view (vault tab)
    ├── secrets-rpc.ts                    # Backend vault RPCs
    ├── skills-controller.ts              # UI controller (skills vault integration)
    ├── skills-views.ts                   # UI view (vault key selector)
    ├── skills-status.ts                  # Backend skill status with vaultKeyId
    └── skills-rpc.ts                     # Backend skills update RPC

Key Design Decisions

  1. No auto-restart on savesecrets.write no longer calls reloadSecrets(). A restart banner with "Restart Now" button lets the user decide when to restart.

  2. Vault-only keys — Keys created with envEntry: false don't appear in config. A separate secrets.list call finds all vault entries and shows orphan keys in a dedicated section.

  3. Raw config reading for vaultKeyId — The runtime resolves SecretRefs to strings, so loadConfig() returns resolved values. extractVaultKeyIdFromConfig() reads the raw JSON file directly (with mtime caching) to detect SecretRef objects.

  4. Skills expanded by default — All \x3Cdetails> groups render open for better UX. Collapsed-by-default hid skills that needed configuration.

  5. Skills use vault references, not plaintext — Skills with primaryEnv get a vault key selector dropdown instead of a password input. Linking writes a SecretRef to skills.entries.\x3Ckey>.apiKey in config.

  6. Inline key creation from skills — "+ Add new vault key…" in the skills dropdown creates a vault entry and links it in one step, reducing friction.

Changelog

v3.0.0

  • Manual "+ Add Secret" form in Vault tab header — create vault keys without config entries
  • Vault-Only Keys section — shows keys in vault not referenced by config
  • Restart notification banner — yellow warning with "Restart Now" button replaces auto-reload
  • Skills vault key selector — dropdown replaces raw password input for skills with primaryEnv
  • Skills inline key creation — "+ Add new vault key…" creates and links in one step
  • Skills expanded by default — all groups open, no more collapsed-by-default
  • vaultKeyId on SkillStatusEntry — reads raw config JSON to detect SecretRef objects
  • envEntry param on secrets.write — controls whether an env block entry is created
  • vaultKeyId param on skills.update — writes SecretRef or unlinks skill from vault key

v2.0.0

  • Vault-backed storage: Keys stored in ~/.openclaw/secrets.json (mode 0600) instead of plaintext config
  • SecretRef integration: Config values replaced with OpenClaw SecretRef objects pointing to vault
  • One-click migration: "Migrate to Vault" batch-migrates all plaintext keys
  • Vault status banner: Green (all secure) or yellow warning (plaintext detected)
  • Key badges: VAULT / PLAINTEXT / NOT SET per key
  • New RPCs: secrets.status, secrets.list, secrets.write, secrets.delete, secrets.migrate
  • Plugin UI registration: Moved from old nav to plugin architecture (settings group, position 1)
  • Auto-provider config: Saving a key auto-configures the file secret provider if not present

v1.1.0

  • Dynamic key discovery — scans entire config instead of hardcoded list
  • Auto-grouping by category (Environment / Skills / Other)
  • Common env keys shown even if not configured

v1.0.0

  • Initial release with hardcoded provider slots
  • Save/Clear functionality via config.patch
Usage Guidance
This skill appears to do what it claims: it creates/uses a local file-backed vault (~/.openclaw/secrets.json) and edits your OpenClaw config (~/.openclaw/openclaw.json) to replace plaintext keys with SecretRef objects. Before installing or running a one-click migration: 1) back up ~/.openclaw/openclaw.json (the migration edits that file), 2) review the included source if you want to confirm exact behavior (the package fully lists read/write handlers), 3) note that secrets are stored locally and protected by file permissions (mode 0600) but any local process/user with filesystem access could read them, and 4) there are no apparent external network or exfiltration behaviors in the code. If you prefer system secret managers (OS keyring, cloud KMS), validate whether this local file vault meets your operational security needs.
Capability Analysis
Type: OpenClaw Skill Name: api-key-ui-tab Version: 3.0.0 This skill bundle provides a UI and backend RPCs for secure API key management within OpenClaw. It facilitates storing API keys in a dedicated, permission-restricted file (`~/.openclaw/secrets.json`, mode 0600), migrating plaintext keys, and linking them to skills. The `SKILL.md` explicitly outlines a security model where the AI agent does not directly access keys. All file operations (`fs.readFile`, `fs.writeFile`) and configuration modifications (`openclaw.json`, `auth-profiles.json`) are directly related to its stated purpose. While modifying `openclaw.json` can trigger a gateway restart (as documented), this is an expected side effect of configuration changes, not evidence of malicious intent. No data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts were found.
Capability Assessment
Purpose & Capability
The skill claims to provide vault-backed API-key management and the code matches that: it scans the local openclaw.json for API keys, writes secrets to ~/.openclaw/secrets.json (mode 0600), and patches openclaw.json to use SecretRef objects and configure the 'file' secrets provider. All required actions (reading/writing config and the secrets file, listing/migrating keys, linking skills to vault keys) are proportional to the described purpose.
Instruction Scope
The SKILL.md and implementation instruct the agent/UI to read and mutate the user's openclaw.json and to create/modify ~/.openclaw/secrets.json. This is expected for a migration/secret-management feature, but it does mean the skill will modify your configuration files and create a local secrets vault; users should be aware that migrations are destructive (they replace plaintext entries) and a restart is required for changes to take effect. The code masks values when returning lists/statuses and does not appear to return raw secret values over RPCs.
Install Mechanism
There is no external install spec or network download; the package is instruction-only with included reference source files. The implementation uses standard Node fs APIs to read/write local files and does not fetch code or binaries from external URLs. No extract/download installers observed.
Credentials
The skill requests no environment variables or external credentials. It only accesses local config paths (~/.openclaw/openclaw.json and ~/.openclaw/secrets.json), which aligns with its stated function. The code explicitly skips scanning some sensitive paths (e.g., gateway.auth.token, telegram/discord bot tokens) which is a reasonable safety measure for scope-limited scanning.
Persistence & Privilege
The skill does not request permanent/autonomous privileges (always:false) and does not require model-disable flags. However, it must and does write to user configuration and create a secrets file in the user's home directory — this is appropriate for the feature but is a privileged local operation: changes to openclaw.json are persistent and can affect gateway behavior. The UI warns a restart is required; consider backing up openclaw.json before migration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install api-key-ui-tab
  3. After installation, invoke the skill by name or use /api-key-ui-tab
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.0
v3: Vault key selector for skills, manual +Add Secret form, vault-only keys section, restart notification banner, skills expanded by default, inline key creation from skills tab, vaultKeyId on SkillStatusEntry, envEntry param on secrets.write
v2.0.0
v2.0.0: Vault-backed storage via OpenClaw Secrets System, SecretRef integration, one-click migration, plugin UI registration
v1.0.1
### v1.1.0 - Dynamic API key discovery: automatically scans the entire config for keys, not just a fixed list. - Auto-grouping: keys are now organized by Environment, Skills, or Other categories. - Known providers receive friendly names and "Get key" links; unknown keys are displayed with auto-generated labels. - The UI surfaces common environment variables even if they aren't configured yet. - Added a refresh button to reload key listings. - No agent exposure: browser-to-gateway direct key save remains unchanged.
v1.0.0
api-key-ui-tab v1.0.0 - Initial release of "API Keys" management tab for OpenClaw dashboard. - Add support for 13 API providers with status display, secure entry, and feature mapping. - API keys are saved directly in browser to config; never exposed to the AI agent. - Includes Save and Clear actions, provider documentation links, and masked key previews. - Fully documented setup steps and file structure.
Metadata
Slug api-key-ui-tab
Version 3.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is Vault Enhancements w/ UI?

Vault-backed API Keys management for OpenClaw. Secure file-based secret storage with one-click migration from plaintext config, dynamic key discovery, vault... It is an AI Agent Skill for Claude Code / OpenClaw, with 768 downloads so far.

How do I install Vault Enhancements w/ UI?

Run "/install api-key-ui-tab" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Vault Enhancements w/ UI free?

Yes, Vault Enhancements w/ UI is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Vault Enhancements w/ UI support?

Vault Enhancements w/ UI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Vault Enhancements w/ UI?

It is built and maintained by maverick-software (@maverick-software); the current version is v3.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments