← Back to Skills Marketplace
279
Downloads
0
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install openclaw-key-management
Description
Secure credential storage system for OpenClaw that encrypts and protects API keys, tokens, and sensitive credentials from memory file compromise.
Usage Guidance
Do not store production secrets with this skill yet. Before installing or trusting it: (1) Fix and verify the code — key_manager.sh references a non-existent key_vault_simple.js while the repo contains key_vault.js (the CLI will fail); (2) Confirm the master-key logic — the code always derives the master key from system identifiers and ignores the documented passphrase mode (so 'high-security' protection is not actually enforced); (3) Test install and migration in a disposable workspace — migration edits MEMORY.md automatically and will replace tokens (could corrupt or leak data if pattern matching is wrong); (4) Review and run the Node.js module manually to confirm encrypt/decrypt semantics and ensure vault files are saved and loaded correctly (there are mismatches between save/load encodings that will likely break vault persistence); (5) If you need real security, demand a patched version that: honors master_key_mode, removes hardcoded paths or makes paths configurable, stops referencing missing modules, and includes unit tests demonstrating correct load/save and migration behavior. If the author cannot explain or fix these issues, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-key-management
Version: 1.0.3
The skill provides a credential encryption vault using AES-256-GCM, but its implementation contains significant security risks. The primary issue is in `scripts/key_manager.sh`, which generates temporary Node.js scripts by injecting unsanitized shell variables ($SECRET_NAME, $SECRET_VALUE) directly into JavaScript code blocks, making it highly vulnerable to code injection. Additionally, the scripts contain hardcoded workspace paths (e.g., `/zhaining`) and specific logic in `scripts/key_manager.sh` to target 'Instreet' API keys (`sk_inst_`), suggesting the tool is tailored for a specific environment or target. While no evidence of intentional data exfiltration was found, the poor handling of sensitive input in a security-focused tool is a major red flag.
Capability Assessment
Purpose & Capability
The skill claims strong key management and a high-security (passphrase) mode. The code includes a vault implementation and CLI, but the implementation does not honor the documented 'passphrase' mode (initialize() always derives the master key from system identifiers). That means the advertised security property is not delivered. Additionally, the CLI and install scripts use a hardcoded workspace ($HOME/.openclaw/zhaining) rather than the variable workspace paths described in SKILL.md, reducing flexibility and risking misplaced files.
Instruction Scope
SKILL.md promises automatic interception of {SECRET:...} placeholders and integration into OpenClaw workflows. The provided code implements a JS vault module and CLI but there is no code that hooks into OpenClaw to perform automatic interception at runtime. Migration and file-editing steps are implemented (scripts modify MEMORY.md), which is intrusive; migration logic uses pattern matching for specific token prefixes (sk_inst_) and will edit workspace files automatically—this behavior is broader than the doc's 'automatic detection and blocking of credential logging attempts' and could modify files unexpectedly.
Install Mechanism
There is no external network download; install.sh copies files into a workspace and runs the bundled scripts. That's low risk from third-party download perspective. However, install.sh and scripts will write a .secrets directory under a hardcoded workspace and then run initialization and migration commands that modify local files—so installation will place code and encrypted data into your workspace and may alter MEMORY.md.
Credentials
The skill asks for no environment variables or external credentials, which is proportionate. The vault derives keys from local machine identifiers (/etc/machine-id and MAC addresses), which is reasonable for a 'system_key' convenience mode but undermines portability and the advertised passphrase protection. Reading machine-id and network interfaces is expected for a system-tied key but should be clearly documented and optional.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated platform privileges or attempt to modify other skills. It will persist files under the workspace (.secrets) and add backups there, which is normal for a vault implementation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-key-management - After installation, invoke the skill by name or use
/openclaw-key-management - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
No code or documentation changes detected for 1.0.3—version increment only.
- Version number updated (no changes to files or documentation)
- No new features, bug fixes, or other modifications in this release
v1.0.2
Fixed key vault loading and saving issues. Improved compatibility and reliability.
v1.0.1
Initial release with secure credential storage and memory protection
v1.0.0
Initial release of openclaw-key-management.
- Provides strong AES-256-GCM encryption with PBKDF2-HMAC-SHA256 for all credentials.
- Credentials are never stored in plaintext in memory files or logs, using a dedicated encrypted vault.
- Supports two security modes: convenience (system key) and high-security (user passphrase).
- Includes CLI tools for credential management, migration, and secure backups.
- Offers automatic memory safety features and integration with OpenClaw memory architecture.
- Designed for secure handling, migration, and referencing of sensitive authentication data in OpenClaw deployments.
Metadata
Frequently Asked Questions
What is OpenClaw Key Management?
Secure credential storage system for OpenClaw that encrypts and protects API keys, tokens, and sensitive credentials from memory file compromise. It is an AI Agent Skill for Claude Code / OpenClaw, with 279 downloads so far.
How do I install OpenClaw Key Management?
Run "/install openclaw-key-management" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Key Management free?
Yes, OpenClaw Key Management is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw Key Management support?
OpenClaw Key Management is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Key Management?
It is built and maintained by keven0706 (@keven0706); the current version is v1.0.3.
More Skills