← Back to Skills Marketplace
stym06

Keys Manager

by Satyam Raj · GitHub ↗ · v0.5.1
cross-platform ⚠ suspicious
537
Downloads
0
Stars
3
Active Installs
6
Versions
Install in OpenClaw
/install keys-manager
Description
Manage API keys locally from the terminal using the `keys` CLI. Use when users want to store, retrieve, search, import, export, or organize API keys and secr...
README (SKILL.md)

Keys Manager

A skill for managing API keys and secrets locally using the keys CLI tool.

Installation

The keys CLI must be installed first:

brew install stym06/tap/keys

Or with Go:

go install github.com/stym06/keys@latest

Commands

Store a key

keys add \x3Cname> \x3Cvalue>

If the key already exists, the user is prompted to overwrite, edit, or cancel.

Retrieve a key

keys get \x3Cname>       # print value directly
keys get              # interactive typeahead picker

Browse keys interactively

keys see

Opens a TUI with fuzzy search, checkboxes, clipboard copy, and age indicators.

  • space — toggle selection
  • tab — copy selected as KEY=VAL
  • ctrl+y — copy selected as export KEY=VAL
  • ctrl+e — export selected to .env file
  • enter — add a new key (when no matches found)
  • esc — quit

Masked view

keys peek

Same as see but values are hidden as ***. Press r to reveal individual keys. Useful for screen-sharing.

Edit a key

keys edit \x3Cname>

Opens a TUI editor. tab switches fields, enter saves, esc cancels.

Delete a key

keys rm \x3Cname>

Export keys

keys env              # interactive selector, writes .env file
keys expose           # print export statements to stdout

Import from .env

keys import \x3Cfile>

Parses .env files — handles comments, quotes, and export prefixes. Reports new vs updated counts.

Profiles

Isolate keys by project or environment:

keys profile use \x3Cname>     # switch profile
keys profile list           # list all profiles (* = active)

All add, get, rm, see, and other commands operate within the active profile.

Inject keys into commands

$(keys inject API_KEY DB_HOST) ./my-script.sh          # inline env vars
docker run $(keys inject -d API_KEY DB_HOST) my-image  # Docker -e flags
$(keys inject --all) ./my-script.sh                    # all keys from active profile
$(keys inject --all --profile dev) ./my-script.sh      # all keys from specific profile

Outputs keys as space-separated KEY=VAL pairs (or -e KEY=VAL with --docker) for use in command substitution.

Audit key access

keys audit              # summary: access count + last used per key
keys audit --log        # full access log (most recent first)
keys audit --log -n 20  # last 20 events
keys audit --clear      # clear the audit log

Tracks when keys are accessed via get, inject, and expose. Useful for understanding which keys agents and scripts are using.

Check required keys

keys check              # reads .keys.required from current directory
keys check reqs.txt     # custom file

Reads key names from a file (one per line, # comments supported) and reports which are present or missing. Exits with code 1 if any are missing — useful for CI and agent pre-flight checks.

Example .keys.required:

# Agent dependencies
OPENAI_KEY
SERP_API_KEY
DATABASE_URL

Sync keys between machines

# On machine A (has the keys)
keys sync serve
# Serving 12 keys from profile "default"
# Passphrase: olive-quilt-haven
# Waiting for connections...

# On machine B (wants the keys)
keys sync pull                       # auto-discover via mDNS
keys sync pull 192.168.1.10:7331     # or connect directly

Peer-to-peer sync over the local network. Auto-discovers peers via mDNS (Bonjour), encrypted with a one-time passphrase (AES-256-GCM). Works over WiFi, Tailscale, or any reachable network. Smart merge: adds new keys, updates older ones, skips newer local ones.

Delete all keys

keys nuke

Requires typing nuke to confirm. Only affects the active profile.

Version

keys version
keys --version

Authentication

On macOS, keys prompts for Touch ID before any command that accesses keys. Authentication is cached per terminal session — the first command triggers Touch ID, subsequent commands in the same shell skip the prompt.

Commands that skip authentication: profile, completion, version, help.

On non-macOS systems or when biometrics are unavailable, access is allowed without prompting.

Examples

Typical workflow

keys add OPENAI_KEY sk-proj-abc123
keys add STRIPE_KEY sk_test_4eC3
keys get OPENAI_KEY
keys see                    # browse and copy
keys env                    # generate .env for a project

Multi-project setup

keys profile use projectA
keys import .env
keys profile use projectB
keys add DB_HOST prod-db.example.com
keys profile list

Quick export to shell

eval $(keys expose)

Guidelines

  • Always use keys get \x3Cname> when the user knows the exact key name
  • Use keys get (no args) when the user wants to search/pick interactively
  • Use keys peek instead of keys see when the user is screen-sharing or wants masked output
  • Use keys profile to separate keys across different projects or environments
  • Use keys import for bulk loading from existing .env files
  • Suggest keys env when the user needs to generate a .env file for a specific project
  • Use keys inject when the user wants to pass keys directly to a command or Docker container without creating files
  • Use keys audit to review which keys are being accessed and how often
  • Use keys check before running agents to verify all required keys are available
  • Use keys sync serve + keys sync pull to transfer keys between machines without cloud services
Usage Guidance
This skill is a thin instruction set for using the third‑party `keys` CLI; it doesn't itself request extra credentials or install code. Before you use it: 1) verify you trust and have inspected the `keys` binary source (brew tap or GitHub repo) before installing; 2) be cautious with commands that print or inject secrets (keys expose, keys inject, eval $(keys expose)) as they can place secrets into shell history, child processes, or environment variables; 3) avoid using sync over untrusted networks and confirm passphrases when transferring keys between machines; and 4) if you allow autonomous agent invocation, understand the agent could run `keys` commands that access local secrets — limit agent permissions or require user confirmation for sensitive operations if that is a concern.
Capability Analysis
Type: OpenClaw Skill Name: keys-manager Version: 0.5.1 The skill provides an agent with full access to a local secret management utility (`keys` CLI) with high-risk capabilities, most notably network-based synchronization (`keys sync serve/pull`) and bulk credential export (`keys expose`, `keys env`). While the tool's stated purpose is legitimate secret management, the ability to serve the entire key database over a local network via mDNS and AES-256-GCM (as described in `SKILL.md`) creates a significant surface for data exfiltration if the agent is manipulated. The instructions in `SKILL.md` empower the agent to perform these sensitive operations, including 'nuking' the database or injecting secrets into arbitrary commands.
Capability Assessment
Purpose & Capability
The name/description (local API key management) matches the declared requirement (the `keys` binary) and the runtime instructions. No unrelated credentials, services, or system paths are requested.
Instruction Scope
Instructions tell the agent to run `keys` commands that read/write .env and .keys.required files, open TUIs, export/inject secrets into shell commands, and perform local-network peer sync via mDNS. These are coherent with a key manager, but features like `inject`, `expose`, and `sync` can cause secrets to be placed into child processes, stdout, or network transfers — so they deserve careful operational attention.
Install Mechanism
The skill is instruction-only (no install spec). The README suggests installing `keys` via Homebrew or `go install` from github.com/stym06/keys, which is a plausible, traceable source. The skill itself will not download or write code.
Credentials
No environment variables or external credentials are requested by the skill. Example usage references common keys (OPENAI_KEY, DATABASE_URL) but that is explanatory, not a requirement of the skill.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It may be invoked autonomously by the agent (platform default). Because the skill runs a local CLI that can access and output secrets, autonomous invocation increases the risk of accidental secret exposure if a malicious or misconfigured agent executes commands — this is an operational risk, not an incoherence in the skill itself.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install keys-manager
  3. After installation, invoke the skill by name or use /keys-manager
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.5.1
Fix Go module path for go install compatibility
v0.5.0
Add peer-to-peer key sync between machines via mDNS with encrypted transfer
v0.4.0
Add keys audit (access history tracking) and keys check (verify required keys) commands, --version flag
v0.3.0
Add keys inject command for outputting keys as inline env vars or Docker -e flags
v0.2.0
Add Touch ID authentication docs and version command
v0.1.0
Initial release
Metadata
Slug keys-manager
Version 0.5.1
License
All-time Installs 3
Active Installs 3
Total Versions 6
Frequently Asked Questions

What is Keys Manager?

Manage API keys locally from the terminal using the `keys` CLI. Use when users want to store, retrieve, search, import, export, or organize API keys and secr... It is an AI Agent Skill for Claude Code / OpenClaw, with 537 downloads so far.

How do I install Keys Manager?

Run "/install keys-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Keys Manager free?

Yes, Keys Manager is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Keys Manager support?

Keys Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Keys Manager?

It is built and maintained by Satyam Raj (@stym06); the current version is v0.5.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments