← Back to Skills Marketplace

🛡️ Credential Vault / 凭证保险箱

Name: 🛡️ Credential Vault / 凭证保险箱
Author: king6381

by king6381 · GitHub ↗ · v1.3.1 · MIT-0

cross-platform ⚠ suspicious

232

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mjolnir-credential-vault

Description

GPG AES-256 encrypted credential management. Requires: GPG (gnupg) installed, Python 3.8+, CRED_MASTER_PASS env var for non-interactive use. Use when the use...

Usage Guidance

This credential vault is internally coherent and implements a local GPG-encrypted file approach. Before installing or using it, consider the following: (1) Prefer interactive entry via gpg-agent/pinentry rather than exporting CRED_MASTER_PASS — environment variables can be read by other same-user processes on Linux (/proc/*/environ). (2) The tool creates a plaintext JSON temp file for a short time; on systems without encrypted tmpfs this can be recoverable — consider mounting /tmp as tmpfs or setting TMPDIR to a ram-backed location if you need stronger guarantees. (3) The helper prints secrets to stdout; avoid running it in contexts where other processes could capture stdout, and avoid exposing secrets in logs. (4) This is single-user, local storage (no key rotation, no tamper detection) — for enterprise or multi-tenant use consider an OS keyring, HashiCorp Vault, or cloud KMS. (5) Review the included scripts before use and keep the credential file and skill directory permissions restricted (600/owner-only). If you cannot accept the env-var and temp-file trade-offs, do not use the non-interactive mode and prefer interactive gpg-agent/pinentry flows.

Capability Analysis

Type: OpenClaw Skill Name: mjolnir-credential-vault Version: 1.3.1 The skill provides a GPG-encrypted credential vault that follows several security best practices in its Python implementation (cred_manager.py), such as using --passphrase-fd to avoid process-list leaks and implementing secure temporary file deletion. However, the shell helper script (scripts/cred_helper.sh) contains a critical command injection vulnerability where shell variables ($service and $key) are directly interpolated into a Python one-liner's string literals. This flaw allows for arbitrary code execution if service names are maliciously crafted, meeting the criteria for a 'suspicious' classification due to high-risk vulnerabilities.

Capability Assessment

✓ Purpose & Capability

Name/description (GPG AES-256 credential manager) matches the code and runtime requirements: Python + gpg + optional CRED_MASTER_PASS. The included scripts implement the stated init/add/get/list/remove operations; no unrelated services, binaries, or credentials are requested.

✓ Instruction Scope

SKILL.md and scripts instruct only to create/read/update a local encrypted file and to set or prompt for a master password. They reference only the skill directory and the CRED_MASTER_PASS env var. There is no instruction to read unrelated files, exfiltrate data, or call external endpoints.

✓ Install Mechanism

No install spec (instruction-only) and shipped code is plain Python/bash. Nothing is downloaded or executed from a remote URL. This minimizes install-time risk.

ℹ Credentials

Only a single env var (CRED_MASTER_PASS) is required which aligns with the stated non-interactive usage. This is proportionate, but the skill explicitly warns that environment variables are readable by same-user processes via /proc on Linux and that temporary plaintext JSON is created briefly. Those are real, expected risks (not evidence of misbehavior) and should be considered before non-interactive use.

✓ Persistence & Privilege

Skill is not always:true and does not request system-wide config changes or extra privileges. It is user-invocable and can be called autonomously (platform default), which is normal; there is no additional persistent system modification.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mjolnir-credential-vault
After installation, invoke the skill by name or use /mjolnir-credential-vault
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.3.1

v1.3.1: Fix registry metadata — declare gpg/python3 required bins and CRED_MASTER_PASS env var to resolve security scan 'metadata mismatch' finding

v1.3.0

v1.3.0: Bilingual EN/CN documentation for SKILL.md, CLI output, and shell helper / 中英双语文档、CLI输出、Shell辅助脚本

v1.2.0

安全扫描全修复: Shell也改用passphrase-fd, 声明GPG依赖和CRED_MASTER_PASS环境变量, 诚实说明临时文件风险, 不再建议写入bashrc, 完整Limitations

v1.1.0

安全加固: passphrase-fd替代命令行传参, 临时文件600权限+安全删除, GPG依赖检查, 密码强度提示, 明确Limitations

v1.0.0

首次发布：GPG AES-256 加密凭证管理，Python+Shell双接口，完整CLI

Metadata

Slug mjolnir-credential-vault

Version 1.3.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is 🛡️ Credential Vault / 凭证保险箱?

GPG AES-256 encrypted credential management. Requires: GPG (gnupg) installed, Python 3.8+, CRED_MASTER_PASS env var for non-interactive use. Use when the use... It is an AI Agent Skill for Claude Code / OpenClaw, with 232 downloads so far.

How do I install 🛡️ Credential Vault / 凭证保险箱?

Run "/install mjolnir-credential-vault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 🛡️ Credential Vault / 凭证保险箱 free?

Yes, 🛡️ Credential Vault / 凭证保险箱 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 🛡️ Credential Vault / 凭证保险箱 support?

🛡️ Credential Vault / 凭证保险箱 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 🛡️ Credential Vault / 凭证保险箱?

It is built and maintained by king6381 (@king6381); the current version is v1.3.1.

More Skills