← Back to Skills Marketplace
basher83

Devtools Secrets

by basher83 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
665
Downloads
1
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install devtools-secrets
Description
Knowledge and guardrails for the mise + fnox + infisical secrets toolchain. Use when the user asks to "configure secrets", "set up fnox", "infisical", "mise...
README (SKILL.md)

DevTools Secrets

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain.

Toolchain Validation

IMPORTANT: Check tool availability before proceeding with any guidance.

  • mise: !command -v mise >/dev/null 2>&1 && echo "INSTALLED ($(mise --version 2>/dev/null | head -1))" || echo "MISSING — install with: curl https://mise.run | sh"
  • fnox: !command -v fnox >/dev/null 2>&1 && echo "INSTALLED ($(fnox --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g fnox"
  • infisical: !command -v infisical >/dev/null 2>&1 && echo "INSTALLED ($(infisical --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g infisical"

If any tool above shows MISSING, stop and help the user install it before proceeding. Do not provide configuration guidance for tools that aren't installed.

Project Config State

  • fnox.toml: !test -f fnox.toml && echo "YES" || echo "NO (run: fnox init)"
  • .infisical.json: !test -f .infisical.json && cat .infisical.json || echo "NO (run: infisical init)"
  • mise.toml env section: !grep -A5 '^\[env\]' mise.toml 2>/dev/null || echo "No env section"

System/Global Config

  • mise global config: !test -f ~/.config/mise/config.toml && head -10 ~/.config/mise/config.toml || echo "No global mise config"
  • fnox global config: !test -f ~/.config/fnox/config.toml && head -10 ~/.config/fnox/config.toml || echo "No global fnox config"
  • infisical logged in: !infisical user get 2>/dev/null | head -3 || echo "Not logged in or not installed"

Tool Roles

Tool Role
mise Task runner + env manager. Orchestrates dev tooling, runs tasks, manages env vars through plugins.
fnox Unified secret interface. Abstracts over multiple secret backends (infisical, age, env files) with a single CLI.
infisical Remote secrets backend. Stores, syncs, and injects secrets from a central server.

These tools complement each other: infisical stores secrets remotely, fnox provides a unified local interface to them, and mise orchestrates tasks that consume secrets via fnox.

Integration Chain

The typical flow:

  1. fnox.toml defines infisical as a provider with project/environment config
  2. fnox exec -- resolves secrets from the provider and injects them as env vars
  3. mise tasks can wrap fnox exec to run commands with secrets injected
  4. Alternatively, mise env plugins can call fnox directly for auto-injection on cd

Secrets Enforcement

This project enforces secrets hygiene via always-on hooks in .claude/settings.json (not scoped to this skill):

  • block-hardcoded-secrets.py — Blocks Edit/Write operations containing hardcoded API keys, tokens, passwords, or known secret prefixes (sk-, ghp_, AKIA, xox[bpras]-)
  • block-bare-secret-exports.py — Blocks Bash commands that export secret-like env vars without wrapping in fnox exec or infisical run

These hooks are always active regardless of whether this skill is loaded.

Configuration Patterns

Detailed configuration for each tool is in the reference files:

  • @references/mise-integration.md — mise env plugins, tasks, fnox integration
  • @references/fnox-configuration.md — fnox.toml structure, providers, profiles
  • @references/infisical-patterns.md — infisical CLI, scanning, CI/CD

Gotchas

  • Order matters: fnox.toml must exist before fnox exec works. Run fnox init if missing.
  • Profile mismatches: fnox profiles (dev/staging/prod) must match infisical environment slugs. A mismatch silently returns empty secrets.
  • .infisical.json is safe to commit — it contains project IDs and workspace config, not secrets.
  • fnox.toml may contain sensitive paths — review before committing if using age-encrypted file provider.
  • mise env plugins run on cd — if a plugin calls fnox and fnox is misconfigured, you get errors on every directory change.
  • infisical auth expiresinfisical login tokens have a TTL. CI/CD should use INFISICAL_TOKEN (service token) instead.
  • Token path scope is explicit — a service token scoped to / cannot access secrets in child paths like /git_actions. Each path requires its own token or use --recursive with the CLI directly.
Usage Guidance
This skill is a documentation/runbook for mise+fnox+infisical and appears internally consistent. Before letting an agent run these instructions: (1) be aware it will read local and global config files (~/..., project files) and run CLIs that may expose metadata or secrets if present; (2) do not paste service tokens or secrets into an agent prompt unless you trust the execution environment; (3) if you prefer, run the listed diagnostic commands yourself (command -v, cat, head, infisical user get) so you control what is printed; (4) consider restricting autonomous invocation or reviewing any commands the agent proposes to execute. If you want a narrower audit, provide a transcript of the exact commands the agent would run and I can point out which outputs may contain sensitive data.
Capability Analysis
Type: OpenClaw Skill Name: devtools-secrets Version: 1.0.0 The skill bundle is classified as suspicious primarily due to a prompt injection vulnerability in `SKILL.md`. The instruction `install with: curl https://mise.run | sh` presents a significant risk of arbitrary code execution if the AI agent interprets it as an executable command rather than an informational suggestion. Additionally, `SKILL.md` explicitly instructs the agent to read user configuration files (`.infisical.json`, `~/.config/mise/config.toml`, `~/.config/fnox/config.toml`), which, while stated for validation purposes, demonstrates sensitive file access capabilities. The skill's overall purpose of managing secret toolchains inherently involves handling highly sensitive data and powerful commands, increasing its risk profile.
Capability Assessment
Purpose & Capability
The name/description (secrets toolchain guidance) matches the instructions: the skill checks for mise/fnox/infisical, inspects project and global config files, and documents provider/env patterns. Nothing requested is outside what a secrets-configuration helper would reasonably need.
Instruction Scope
Instructions include shell checks and file reads (e.g., cat .infisical.json, head ~/.config/mise/config.toml, test for fnox.toml) and running CLI commands (e.g., infisical user get). These are coherent with diagnosing/configuring the toolchain, but they do cause the agent to read local and global config files which can contain metadata and possibly sensitive values (or tokens if present). The SKILL.md also references repo-level hooks (.claude/settings.json); this is explanatory, not an inscrutable remote endpoint.
Install Mechanism
Instruction-only skill with no install spec and no code files. No downloads or archive extraction are present, so there is no install-time risk in the skill itself.
Credentials
The skill declares no required environment variables or credentials. It does reference many env var names and CI usage patterns (INFISICAL_TOKEN, FNOX_AGE_KEY, etc.) as part of normal guidance. Because it may prompt or instruct use of these tokens for CI/testing, users should be mindful before providing sensitive credentials to any agent execution.
Persistence & Privilege
always is false, no install or self-modifying behavior, and the skill does not request persistent presence or attempt to change other skills or global agent configuration. The one caution is that the agent can invoke the skill autonomously (platform default), which is normal and expected.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install devtools-secrets
  3. After installation, invoke the skill by name or use /devtools-secrets
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of devtools-secrets 1.0.0: - Provides knowledge and guardrails for the mise + fnox + infisical secrets toolchain. - Validates tool installation before offering configuration guidance. - Outlines key project files and relevant configuration commands. - Summarizes the roles and integration chain of mise, fnox, and infisical. - Documents secrets enforcement hooks that block insecure patterns. - Lists gotchas and troubleshooting tips for typical integration issues.
Metadata
Slug devtools-secrets
Version 1.0.0
License
All-time Installs 4
Active Installs 4
Total Versions 1
Frequently Asked Questions

What is Devtools Secrets?

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain. Use when the user asks to "configure secrets", "set up fnox", "infisical", "mise... It is an AI Agent Skill for Claude Code / OpenClaw, with 665 downloads so far.

How do I install Devtools Secrets?

Run "/install devtools-secrets" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Devtools Secrets free?

Yes, Devtools Secrets is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Devtools Secrets support?

Devtools Secrets is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Devtools Secrets?

It is built and maintained by basher83 (@basher83); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments