Description

Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage. Triggers: "key vault", "SecretClient", "KeyClient", "CertificateClient", "secrets", "encryption keys".

README (SKILL.md)

Azure Key Vault SDK for Python

Name: Azure Keyvault Py
Author: thegovind

Secure storage and management for secrets, cryptographic keys, and certificates.

Installation

# Secrets
pip install azure-keyvault-secrets azure-identity

# Keys (cryptographic operations)
pip install azure-keyvault-keys azure-identity

# Certificates
pip install azure-keyvault-certificates azure-identity

# All
pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity

Environment Variables

AZURE_KEYVAULT_URL=https://\x3Cvault-name>.vault.azure.net/

Secrets

SecretClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)

Secret Operations

# Set secret
secret = client.set_secret("database-password", "super-secret-value")
print(f"Created: {secret.name}, version: {secret.properties.version}")

# Get secret
secret = client.get_secret("database-password")
print(f"Value: {secret.value}")

# Get specific version
secret = client.get_secret("database-password", version="abc123")

# List secrets (names only, not values)
for secret_properties in client.list_properties_of_secrets():
    print(f"Secret: {secret_properties.name}")

# List versions
for version in client.list_properties_of_secret_versions("database-password"):
    print(f"Version: {version.version}, Created: {version.created_on}")

# Delete secret (soft delete)
poller = client.begin_delete_secret("database-password")
deleted_secret = poller.result()

# Purge (permanent delete, if soft-delete enabled)
client.purge_deleted_secret("database-password")

# Recover deleted secret
client.begin_recover_deleted_secret("database-password").result()

Keys

KeyClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)

Key Operations

from azure.keyvault.keys import KeyType

# Create RSA key
rsa_key = client.create_rsa_key("rsa-key", size=2048)

# Create EC key
ec_key = client.create_ec_key("ec-key", curve="P-256")

# Get key
key = client.get_key("rsa-key")
print(f"Key type: {key.key_type}")

# List keys
for key_properties in client.list_properties_of_keys():
    print(f"Key: {key_properties.name}")

# Delete key
poller = client.begin_delete_key("rsa-key")
deleted_key = poller.result()

Cryptographic Operations

from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

# Get crypto client for a specific key
crypto_client = CryptographyClient(key, credential=credential)
# Or from key ID
crypto_client = CryptographyClient(
    "https://\x3Cvault>.vault.azure.net/keys/\x3Ckey-name>/\x3Cversion>",
    credential=credential
)

# Encrypt
plaintext = b"Hello, Key Vault!"
result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
ciphertext = result.ciphertext

# Decrypt
result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
decrypted = result.plaintext

# Sign
from azure.keyvault.keys.crypto import SignatureAlgorithm
import hashlib

digest = hashlib.sha256(b"data to sign").digest()
result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
signature = result.signature

# Verify
result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature)
print(f"Valid: {result.is_valid}")

Certificates

CertificateClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)

Certificate Operations

# Create self-signed certificate
policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate("my-cert", policy=policy)
certificate = poller.result()

# Get certificate
certificate = client.get_certificate("my-cert")
print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")

# Get certificate with private key (as secret)
from azure.keyvault.secrets import SecretClient
secret_client = SecretClient(vault_url=vault_url, credential=credential)
cert_secret = secret_client.get_secret("my-cert")
# cert_secret.value contains PEM or PKCS12

# List certificates
for cert in client.list_properties_of_certificates():
    print(f"Certificate: {cert.name}")

# Delete certificate
poller = client.begin_delete_certificate("my-cert")
deleted = poller.result()

Client Types Table

Client	Package	Purpose
`SecretClient`	`azure-keyvault-secrets`	Store/retrieve secrets
`KeyClient`	`azure-keyvault-keys`	Manage cryptographic keys
`CryptographyClient`	`azure-keyvault-keys`	Encrypt/decrypt/sign/verify
`CertificateClient`	`azure-keyvault-certificates`	Manage certificates

Async Clients

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    
    async with client:
        secret = await client.get_secret("my-secret")
        print(secret.value)

import asyncio
asyncio.run(get_secret())

Error Handling

from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
    secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
    print("Secret not found")
except HttpResponseError as e:
    if e.status_code == 403:
        print("Access denied - check RBAC permissions")
    raise

Best Practices

Use DefaultAzureCredential for authentication
Use managed identity in Azure-hosted applications
Enable soft-delete for recovery (enabled by default)
Use RBAC over access policies for fine-grained control
Rotate secrets regularly using versioning
Use Key Vault references in App Service/Functions config
Cache secrets appropriately to reduce API calls
Use async clients for high-throughput scenarios

Usage Guidance

Things to consider before installing: (1) Provenance — the skill has no listed source or homepage; prefer official Microsoft/published sources. (2) Environment mismatch — SKILL.md requires AZURE_KEYVAULT_URL and implicitly uses DefaultAzureCredential (which can consume AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, Azure CLI tokens, managed identity). The registry metadata did not declare those — verify expected env/credentials before use. (3) Privilege scope — the sample code shows reading secret values and performing destructive actions (delete/purge). Only grant the minimum Azure identity permissions required (use a limited service principal with least privilege rather than broad credentials). (4) Autonomy — the agent may invoke the skill automatically; if you allow that, be confident in credential granularity and the skill owner. (5) If you need higher assurance, ask the publisher for a homepage/repo and confirm the SKILL.md matches an official azure-keyvault SDK example.

Capability Analysis

Type: OpenClaw Skill Name: azure-keyvault-py Version: 0.1.0 The skill bundle provides documentation and code examples for interacting with Azure Key Vault using the official Python SDKs. All installation commands and Python code snippets in `SKILL.md` are standard and demonstrate legitimate usage of the Azure Key Vault services. There is no evidence of prompt injection, malicious execution, data exfiltration, persistence mechanisms, or suspicious external network calls. The dependencies listed are official Azure SDK packages, and the environment variable setup is for a legitimate Azure Key Vault URL.

Capability Assessment

ℹ Purpose & Capability

The SKILL.md is a legitimate set of instructions for the Azure Key Vault Python SDK (secrets, keys, certificates) and the listed pip packages align with that purpose. However the registry metadata claims no required environment variables or primary credential while the instructions reference AZURE_KEYVAULT_URL and rely on DefaultAzureCredential, so the declared requirements do not fully match the actual usage. Source/homepage is missing which reduces provenance.

ℹ Instruction Scope

Instructions stay within Key Vault operations (set/get/list/delete secrets, manage keys/certificates, crypto ops). They explicitly access secret values (including cert private-key material via secrets) and show destructive operations (purge, delete). They do not instruct reading unrelated local files, but they do rely on authentication behavior (DefaultAzureCredential) that may cause the agent to use any available local Azure credentials/tokens.

✓ Install Mechanism

No install spec in registry (instruction-only). SKILL.md recommends pip installing official azure-keyvault-* and azure-identity packages from PyPI, which is expected and proportionate for a Python SDK integration.

⚠ Credentials

Registry metadata lists no required env vars, but SKILL.md references AZURE_KEYVAULT_URL and uses DefaultAzureCredential. DefaultAzureCredential can pull credentials from multiple sources (AZURE_CLIENT_ID/CLIENT_SECRET/TENANT_ID env vars, Azure CLI tokens, managed identity, developer tooling). The skill therefore implicitly requires/consumes sensitive credentials but fails to declare them, which is disproportionate and risky.

ℹ Persistence & Privilege

always is false and the skill is user-invocable (normal). disable-model-invocation is false so the agent could call the skill autonomously — by itself this is a platform default, but combined with the skill's ability to access and delete secrets it increases potential impact. The skill does not request persistent installation or system-wide config changes.

Version History

v0.1.0

- Initial release of azure-keyvault-py skill. - Provides an overview and setup instructions for Python Azure Key Vault SDKs: secrets, keys, and certificates. - Includes usage examples for SecretClient, KeyClient, CryptographyClient, and CertificateClient. - Documents installation, authentication, environment variables, and error handling. - Lists best practices and usage tips for secure key vault integration.

Metadata

Slug azure-keyvault-py

Version 0.1.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Azure Keyvault Py?

Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage. Triggers: "key vault", "SecretClient", "KeyClient", "CertificateClient", "secrets", "encryption keys". It is an AI Agent Skill for Claude Code / OpenClaw, with 1602 downloads so far.

How do I install Azure Keyvault Py?

Run "/install azure-keyvault-py" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Azure Keyvault Py free?

Yes, Azure Keyvault Py is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Azure Keyvault Py support?

Azure Keyvault Py is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Azure Keyvault Py?

It is built and maintained by thegovind (@thegovind); the current version is v0.1.0.

More Skills

Azure Keyvault Py