← Back to Skills Marketplace
jawaddxb

Key Swap

by jawaddxb · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
379
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install keyswap
Description
Rotate Claude Max API token for OpenClaw Anthropic profiles. Use when the user says "swap key", "rotate key", "new key", "keyswap", or provides a new `sk-ant...
README (SKILL.md)

Key Rotation

Rotate the Claude Max API token for both Anthropic profiles (anthropic:jawadjarvis and anthropic:manual) in OpenClaw.

Instructions

  1. If the user has not provided a token, ask for one. It must start with sk-ant-.
  2. Run the rotation script:
bash /opt/homebrew/lib/node_modules/openclaw/skills/keyswap/scripts/keyswap.sh \x3Ctoken>
  1. Report the result to the user. On success, confirm both profiles were updated and the gateway restarted. On failure, show the error output.
Usage Guidance
This skill appears to be what it claims: it asks the user for a new sk-ant- token, updates your OpenClaw Anthropic profiles file, and restarts the gateway. Before running it, ensure: 1) you trust the token you will provide, 2) you have a backup of $HOME/.openclaw/agents/main/agent/auth-profiles.json (the script overwrites it), 3) jq is installed and the OpenClaw CLI/LaunchAgent exist on your system (the SKILL.md assumes a macOS/Homebrew path and uses launchctl), and 4) you are comfortable that usageStats and failureCounts for those profiles will be reset (the script clears historic failure data). If your OpenClaw installation path differs, run the bundled script from its actual location or copy it into place rather than blindly running the exact /opt/homebrew/... command.
Capability Analysis
Type: OpenClaw Skill Name: keyswap Version: 1.0.0 The `SKILL.md` file instructs the OpenClaw agent to execute a `bash` script (`scripts/keyswap.sh`) with a user-provided token. This direct embedding of user input into a shell command creates a significant shell injection vulnerability, as an attacker could append arbitrary commands (e.g., `sk-ant-foo; rm -rf /`) that would be executed by the agent after the `keyswap.sh` script completes. Although the `keyswap.sh` script attempts to mitigate injection within its `jq` command using `--arg`, this does not protect against commands executed *outside* the script's scope by the agent's initial command parsing. There is no evidence of intentional malicious behavior like data exfiltration or backdoors within the skill's code or instructions, but the vulnerability is critical.
Capability Assessment
Purpose & Capability
Name and description match the actual behavior: the script updates the Anthropic profile tokens in the OpenClaw auth file. No unrelated credentials or services are requested. The skill assumes OpenClaw stores profiles at $HOME/.openclaw/agents/main/agent/auth-profiles.json and will update two profiles; this is coherent with 'rotate key' functionality. Note: the SKILL.md references an absolute install path (/opt/homebrew/...) which assumes a specific installation layout (macOS/Homebrew/npm global), but that is an implementation detail rather than a mismatch of purpose.
Instruction Scope
Instructions are narrowly scoped: ask user for a token (must start with sk-ant-), run the included script, and report results. The script reads and overwrites the local auth-profiles.json, resets usageStats for the specified profiles, and restarts the OpenClaw gateway. This stays within the stated purpose, but the instructions do not mention prerequisites (jq, correct file path, permissions) or error-recovery (backup of auth file). Also the script resets usageStats and deletes failureCounts — this is functional but could remove historical failure data, which users may want to be aware of.
Install Mechanism
No install spec is present (instruction-only plus bundled script), so nothing is downloaded or installed by the skill. The script is bundled in the package. The SKILL.md directs running the script from a fixed /opt/homebrew/... path; if the user's installation location differs the provided command may fail. No external downloads or obscure URLs are used.
Credentials
The skill requests no environment variables and no external credentials. It does modify the local OpenClaw auth file (which contains API tokens) — that is exactly what key rotation requires. There is no attempt to transmit tokens externally. Users should note the script runs as the invoking user and will overwrite the auth-profiles.json in that user's home directory.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It modifies OpenClaw's own auth file and restarts the OpenClaw gateway (via launchctl), which is appropriate for rotating an active key. The script does not alter other skills' configs or system-wide settings beyond restarting the gateway for the current user. Note: restart uses macOS-specific launchctl invocation and may fail or be inappropriate on non-macOS systems.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install keyswap
  3. After installation, invoke the skill by name or use /keyswap
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the keyswap skill. - Enables rotation of Claude Max API tokens for OpenClaw Anthropic profiles. - Responds to user requests such as "swap key" or when a new `sk-ant-` token is provided. - Guides users to supply a valid token if not already provided. - Automates execution of a shell script to update both profiles and restart the gateway. - Confirms success or reports error details based on script output.
Metadata
Slug keyswap
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Key Swap?

Rotate Claude Max API token for OpenClaw Anthropic profiles. Use when the user says "swap key", "rotate key", "new key", "keyswap", or provides a new `sk-ant... It is an AI Agent Skill for Claude Code / OpenClaw, with 379 downloads so far.

How do I install Key Swap?

Run "/install keyswap" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Key Swap free?

Yes, Key Swap is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Key Swap support?

Key Swap is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Key Swap?

It is built and maintained by jawaddxb (@jawaddxb); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments