← Back to Skills Marketplace

Vincent - Credentials

Name: Vincent - Credentials
Author: glitch003

by Chris Cassano · GitHub ↗ · v1.0.69 · MIT-0

cross-platform ⚠ suspicious

547

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install vincent-credentials

Description

Secure credential management for agents. Use this skill when users need to store API keys, passwords, OAuth tokens, or SSH keys and write them to .env files...

Usage Guidance

This skill is coherent with its purpose but has notable runtime risks you should consider before installing: 1) Avoid using the 'agent sets value' CLI pattern shown (secret set-value --value ...) because command-line arguments and shell history can leak secrets; prefer the dashboard claim workflow where a human sets the secret. 2) The instructions rely on npx to fetch and execute @vincentai/cli (often @latest) — pin to a specific version (e.g., @vincentai/[email protected]) and audit the package source before running it in a production environment. 3) Confirm where the CLI will store keys (the declared OPENCLAW_STATE_DIR or ./credentials) and ensure those filesystems are appropriately protected and backed up/rotated. 4) Treat the 'value never appears in context' statement skeptically — it depends on how you run the CLI and your agent framework's policies. 5) Operational recommendations: restrict the agent's runtime permissions, run the CLI in an isolated environment if possible, rotate/revoke keys after use, and audit network calls from the CLI (verify it only contacts heyvincent.ai if that is a requirement). If you need help hardening usage patterns (how to pin versions, run the CLI without exposing values on the command line, or configure a safer workflow), get those details before enabling the skill.

Capability Analysis

Type: OpenClaw Skill Name: vincent-credentials Version: 1.0.69 The skill manages sensitive credentials by interfacing with an external service (heyvincent.ai) and executing a remote CLI tool via 'npx @vincentai/cli@latest' as documented in SKILL.md. While the instructions align with the stated purpose of secure secret management, the reliance on dynamic remote code execution and the redirection of API keys/passwords to a third-party platform represent high-risk capabilities that could be leveraged for data exfiltration or supply chain attacks.

Capability Assessment

✓ Purpose & Capability

Name/description align with the declared behavior: a credential-management helper that writes secrets to .env files and persists a CLI-scoped key under the declared credentials paths. Allowed tools (Bash with npx:@vincentai/cli*) are consistent with using a vendor CLI.

⚠ Instruction Scope

The SKILL.md repeatedly asserts 'the credential value never appears in the agent's context or stdout' but the examples show using --value on the CLI (e.g. secret set-value --value '{...}' or passing API keys on the command line). Supplying secrets as command-line arguments can expose them to shell history, process listings, CI logs, or agent logs — contradicting the stated security guarantee. The instructions also permit the agent to write .env files on disk, which is expected, but they assume agent frameworks will not read those files (a policy assumption that may not hold).

⚠ Install Mechanism

There is no install spec; the guidance relies on npx @vincentai/cli (often @latest). That causes runtime download-and-execute of npm package code (moderate-to-high risk). The skill does not advise pinning a package version or verifying integrity, increasing attack surface if the package or npm account is compromised or a malicious version is published.

ℹ Credentials

The skill requests no environment variables and declares reasonable local credential paths. That is proportionate. However, the skill persists provider-scoped API keys under the agent state dir and allows the agent to set secret values via CLI; the CLI usage demonstrated would expose secrets via command-line arguments even though no env vars are required — a usability/UX vs security mismatch to be aware of.

✓ Persistence & Privilege

always:false and no special system-wide privileges are requested. The skill stores its own credential state under the declared paths; it does not request to modify other skills or global agent configuration.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install vincent-credentials
After installation, invoke the skill by name or use /vincent-credentials
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.69

No user-visible changes in this version. - Version bumped to 1.0.69 with no file or documentation changes detected.

v1.0.68

No changes detected in this version.

v1.0.66

Version 1.0.66 Changelog - No file or documentation changes detected in this release. - Functionality, documentation, and configuration remain unchanged from the previous version.

v1.0.65

- Updated allowed Bash tools to restrict CLI invocations to Bash(npx:@vincentai/cli*) only, improving command safety. - Changed example for setting credentials from a direct REST API call to using the CLI command (npx @vincentai/cli@latest secret set-value), making credential management more consistent. - Minor copy updates and expanded CLI usage examples for clarity and accuracy.

v1.0.64

- Version bump to 1.0.64 with no file changes detected. - No updates to code or documentation. - No new features, bugfixes, or content edits in this release.

v1.0.63

- No changes detected in this version. - No file or documentation updates were made.

v1.0.62

- Version bump to 1.0.62 with no file changes detected. - No updates to code or documentation in this release.

v1.0.61

- Skill metadata updated with a more concise description, author, version, and licensing information. - Added `allowed-tools` section to specify supported runtime tools: Read, Write, Bash (npx, curl). - Enhanced triggers listed in description for better discoverability ("store credentials", "API key", etc.). - No changes to core security, workflow, or CLI usage documented in the skill guide.

v1.0.60

- No changes detected in this release. - Version 1.0.60 is functionally identical to the previous version.

v1.0.58

- Improved documentation in SKILL.md for setup, usage, and security model. - Clarified workflow for creating, claiming, and writing secrets to .env files. - Added detailed explanation of secret types and CREDENTIALS JSON format. - Provided step-by-step quick start guide with CLI and API command examples. - Documented overwrite guard and enhanced security practices. - Updated sample commands and flags for clarity and ease of use.

Metadata

Slug vincent-credentials

Version 1.0.69

License MIT-0

All-time Installs 2

Active Installs 2

Total Versions 10

Frequently Asked Questions

What is Vincent - Credentials?

Secure credential management for agents. Use this skill when users need to store API keys, passwords, OAuth tokens, or SSH keys and write them to .env files... It is an AI Agent Skill for Claude Code / OpenClaw, with 547 downloads so far.

How do I install Vincent - Credentials?

Run "/install vincent-credentials" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Vincent - Credentials free?

Yes, Vincent - Credentials is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Vincent - Credentials support?

Vincent - Credentials is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Vincent - Credentials?

It is built and maintained by Chris Cassano (@glitch003); the current version is v1.0.69.

More Skills