← Back to Skills Marketplace
anmolnagpal

Key Vault Auditor

by Anmol Nagpal · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
327
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install key-vault-auditor
Description
Audit Azure Key Vault configuration, access policies, and secret hygiene for credential exposure risks
README (SKILL.md)

Azure Key Vault & Secrets Security Auditor

You are an Azure Key Vault security expert. Misconfigured Key Vaults expose your most sensitive credentials.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Key Vault list with network settings — all vaults and their configurations 
    az keyvault list --output json
az keyvault show --name my-vault --output json
  2. Key Vault access policies or RBAC assignments — who can access what 
    az keyvault show --name my-vault --query 'properties.accessPolicies' --output json
az role assignment list --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/my-vault --output json
  3. Secret and certificate expiry status — near-expiry items 
    az keyvault secret list --vault-name my-vault --output json
az keyvault certificate list --vault-name my-vault --output json

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Key Vault Reader",
  "scope": "Key Vault resource",
  "note": "Use 'Reader' at subscription scope for vault list; 'Key Vault Reader' to inspect vault configuration"
}

If the user cannot provide any data, ask them to describe: how many Key Vaults you have, whether they use public or private network access, and how secrets are rotated.

Checks

  • Key Vault with public network access enabled (no IP firewall or private endpoint)
  • Key Vault using legacy Access Policies instead of Azure RBAC
  • Over-privileged access: Key Vault Administrator or Key Vault Secrets Officer granted broadly
  • Expired or near-expiry (\x3C 30 days) certificates, keys, and secrets
  • Secrets not rotated in > 90 days
  • Soft delete disabled (Key Vault can be permanently deleted)
  • Purge protection disabled (deleted secrets can be purged before retention period)
  • Key Vault diagnostic logging disabled (no audit trail)
  • Applications using hardcoded connection strings instead of Key Vault references
  • Managed identities not used (service principals with long-lived secrets instead)

Output Format

  • Critical Findings: public access, disabled protections
  • Findings Table: vault name, finding, risk, remediation
  • Hardened Bicep Template: per finding with network rules + RBAC
  • Secret Rotation Plan: rotation schedule recommendations per secret type
  • Managed Identity Migration: guide to replace client secrets with managed identity

Rules

  • Public Key Vault + no IP firewall = any internet user can attempt access — always Critical
  • Recommend Key Vault references in App Service / Functions instead of env vars
  • Note: one Key Vault per application/environment is the recommended pattern
  • Flag if Key Vault is shared across production and non-production — blast radius risk
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing
Usage Guidance
This skill appears coherent and low-risk because it only asks you to provide exported az CLI output (read-only). Before using it: (1) do the az commands locally in your environment, redact or remove any secret values or connection strings before pasting output, and prefer sharing only the minimal JSON objects needed (vault properties, accessPolicies, role assignments, secret metadata). (2) Confirm you are not pasting secret values, private keys, or client secrets—CLI output can sometimes include these. (3) If possible, share redacted samples or summaries (e.g., counts, boolean flags, principal names) instead of raw dumps. (4) Use least-privilege Reader access when running az commands and avoid granting elevated rights. If you need higher confidence about what will be inspected, ask the maintainer for a detailed data-extraction checklist or a script you can run locally that strips sensitive values before upload.
Capability Analysis
Type: OpenClaw Skill Name: key-vault-auditor Version: 1.0.0 The skill explicitly states it is 'instruction-only' and 'does not execute any Azure CLI commands or access your Azure account directly' in SKILL.md. It instructs the AI agent to ask the user for data, not to fetch it, and critically, it includes rules for the agent to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing' user-pasted data. These instructions demonstrate a clear intent to prevent malicious actions and ensure data privacy, despite `bash` being listed as a tool.
Capability Assessment
Purpose & Capability
The name/description (Key Vault auditing) match the runtime instructions: the skill asks users to provide az CLI outputs and inspects vault configuration, access policies, and secret hygiene. It does not request unrelated credentials or services.
Instruction Scope
SKILL.md explicitly states the skill is instruction-only and will not run az CLI itself, and it instructs the user which CLI outputs to paste. Minor inconsistency: the front-matter lists 'bash' as a tool which could imply execution, but the body clarifies no direct execution. The instructions appropriately avoid asking for credentials and warn users to confirm no secrets are included; still, this relies on the user to redact sensitive values before pasting.
Install Mechanism
No install specification or code is included (instruction-only), so nothing is written to disk or downloaded.
Credentials
No environment variables, credentials, or config paths are required. The SKILL.md correctly requests only read-only CLI outputs and recommends the minimum read-only RBAC role (Key Vault Reader) needed to produce those outputs.
Persistence & Privilege
The skill is not marked always:true, does not request persistent presence, and does not modify agent/system configurations. Autonomous invocation is allowed by default but is not combined with broad privileges or credential access.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install key-vault-auditor
  3. After installation, invoke the skill by name or use /key-vault-auditor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
azure-key-vault-auditor 1.0.0 – Initial release - Provides instruction-only auditing for Azure Key Vault security, configuration, and access policies. - Analyzes exported Azure CLI/console data for exposures (public access, policy risks, expired secrets). - Generates a findings table, Bicep hardening templates, secret rotation plans, and managed identity migration guidance. - Clearly outlines required user inputs and minimum Azure permissions (read-only). - Does not request or process any credentials or secrets directly.
Metadata
Slug key-vault-auditor
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Key Vault Auditor?

Audit Azure Key Vault configuration, access policies, and secret hygiene for credential exposure risks. It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.

How do I install Key Vault Auditor?

Run "/install key-vault-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Key Vault Auditor free?

Yes, Key Vault Auditor is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Key Vault Auditor support?

Key Vault Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Key Vault Auditor?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments