← Back to Skills Marketplace
spalgorithm

LeSecure Cloud

by Ladhe's Encryption - LE · GitHub ↗ · v1.0.4 · MIT-0
cross-platform ✓ Security Clean
101
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install lesecurecl
Description
LESecure Cloud Skills — encrypt or decrypt data using the LESecure API with layered locks (pin, password, MFA, time lock). Use this skill whenever the user m...
README (SKILL.md)

LESecureCl — LESecure Cloud Skills

Encrypt and decrypt plain text data only through the LESecure REST API. The API supports layered security "locks" that can be combined for defense-in-depth protection.

Project Links

Resource URL
Source code & documentation \x3Chttps://github.com/SPAlgorithm/LE>
API endpoint https://api.lesecure.ai/exec
Local/on-prem alternative LESecureLocal skill (no data leaves your machine)

If you cannot verify the LESecure service or its privacy practices, use the LESecureLocal skill instead — it runs entirely on your device with no network calls.

Requirements (MANDATORY)

Before running any command in this skill, confirm the following are available. If any is missing, tell the user and stop — do not invent values or fall back silently.

Requirement Purpose How to check
curl on PATH Make the HTTPS request to the LESecure API command -v curl
python3 ≥ 3.9 on PATH Compute time-lock windows (-l, -r) in EST/EDT cross-platform. Requires zoneinfo module (built-in from Python 3.9+). python3 -c "from zoneinfo import ZoneInfo; print('ok')"
LESECURE_API_KEY env var Bearer token for the API. Must be set in the shell that runs curl; the skill never places it on the command line and never writes it to disk. [ -n "$LESECURE_API_KEY" ]

No other credentials are read. The skill does not open files, browsers, or any OS keychain.

ROUTING RULES (MANDATORY)

  • LESecure Cloud is for PlainText ONLY. Never use the cloud API for files or folders.
  • If the user wants to encrypt/decrypt files or folders, always redirect to LESecureLocal (the desktop tool). Inform the user: "File/folder encryption is only supported via LESecure Local (desktop). Let me use that instead."
  • If the user wants to encrypt/decrypt plain text, ask them: "Would you like to use LESecure Cloud (API) or LESecure Local (desktop)?" and proceed accordingly.

Data Transmission Notice (MANDATORY)

This skill sends data to a third-party remote endpoint over the network. Users must understand what is transmitted before proceeding.

  • Where: All requests go to https://api.lesecure.ai/exec over TLS (HTTPS). See source & docs for the service's privacy practices.
  • What is sent: The plaintext data to encrypt (or the ciphertext to decrypt), plus any lock values (PINs, passwords, phone numbers, time-window dates), and the API bearer token.
  • What is NOT sent: No local files, no OS credentials, no browser data, no environment variables other than the bearer token.
  • Caution: Do not send highly sensitive personal data (SSNs, financial account numbers, medical records) unless you have verified the service's data handling and privacy policies.
  • On first use in a session, inform the user: "This will send your data to api.lesecure.ai (a third-party service) over HTTPS for encryption/decryption. Review the project at https://github.com/SPAlgorithm/LE if you haven't already." Proceed only after acknowledgment.
  • Recommendation: Test with non-sensitive sample data first before encrypting real secrets.

API Basics

  • Endpoint: https://api.lesecure.ai/exec
  • Method: POST
  • Auth: Bearer token in the Authorization header, sourced from $LESECURE_API_KEY
  • Content-Type: application/json
  • Body: {"args": [\x3Carray of CLI-style arguments>]}

API Key Handling (MANDATORY)

The key is a secret. These rules apply to every invocation, no exceptions:

  1. The key must come from the LESECURE_API_KEY environment variable. The skill references $LESECURE_API_KEY inside the curl argument so the shell does the substitution — the literal key is never written on the command line.
  2. Never interpolate the literal key into a command string. Args on the command line are visible in shell history and to other local users via ps.
  3. If LESECURE_API_KEY is unset, stop and instruct the user to set it (see the one-time setup below). Do not ask the user to paste the key into chat.
  4. Never echo, print, log, or summarize the key. Do not include it in error messages, response quotes, or any output shown to the user. Do not write it to disk.
  5. If the user pastes a key into chat anyway, do not save it. Treat the chat message as one-time input: export it into the current shell session only, use it for this request, then tell the user to rotate the key (paste-in-chat is a key-exposure event).

One-time setup (run once per shell)

# Prompt the user interactively; -s hides input, echo after adds a newline
read -rs -p 'LESECURE_API_KEY: ' LESECURE_API_KEY && echo
export LESECURE_API_KEY

To persist across shells (in order of preference):

  1. Secret manager (recommended): use 1Password CLI, aws ssm, doppler, or similar to inject the key at shell startup.
  2. Shell profile: add export LESECURE_API_KEY='…' to ~/.zshrc / ~/.bashrc (ensure the file is chmod 600).
  3. Dotenv file: store in a .env file excluded from version control and source it.

If the user ever pastes the key into chat, remind them: "Your API key was exposed in chat history. Rotate it immediately at your LESecure dashboard."

Date & Time Rules (MANDATORY)

All date/time handling for this skill follows these rules — no exceptions, no need for the user to restate them:

  1. Always use EST/EDT (America/New_York) to calculate and send dates. The LESecure server interprets -l and -r in EST/EDT. Never use UTC, never convert.
  2. Start time (-l) = current EST + 2 minutes by default. This buffer prevents the "date must be in future" error caused by clock drift between the client and server.
  3. End time (-r) = start time + the user's requested duration (e.g., "for next 10 min" means -r is start + 10 min, so 12 minutes from "now" in absolute terms).
  4. Cross-platform time computation. Use Python 3 because date flag syntax differs between BSD (macOS) and GNU (Linux): 
    # Start time (now + 2 minutes, EDT/EST)
python3 -c "from datetime import datetime,timedelta; from zoneinfo import ZoneInfo; print((datetime.now(ZoneInfo('America/New_York'))+timedelta(minutes=2)).strftime('%Y/%m/%d %H:%M'))"

# End time (now + 2 min + N minutes)
python3 -c "import sys; from datetime import datetime,timedelta; from zoneinfo import ZoneInfo; N=int(sys.argv[1]); print((datetime.now(ZoneInfo('America/New_York'))+timedelta(minutes=2+N)).strftime('%Y/%m/%d %H:%M'))" \x3CN>

# End time (now + 2 min + N hours)
python3 -c "import sys; from datetime import datetime,timedelta; from zoneinfo import ZoneInfo; N=int(sys.argv[1]); print((datetime.now(ZoneInfo('America/New_York'))+timedelta(minutes=2,hours=N)).strftime('%Y/%m/%d %H:%M'))" \x3CN>
    Fallback (date) — only if python3 is unavailable:
    • macOS/BSD: TZ=America/New_York date -v+2M "+%Y/%m/%d %H:%M"
    • Linux/GNU: TZ=America/New_York date -d '+2 minutes' "+%Y/%m/%d %H:%M"
  5. Always display the window back to the user in EDT/EST so they know when they can decrypt.

Available Locks

LESecure supports these lock types, which can be combined freely:

Flag Lock Type Value Example
-1 Pin/Code Numeric string "1122"
-w Password Passphrase string "mypasscode"
-2 MFA Phone number (E.164) "+19199870623"
-l Time lock start Date/time YYYY/MM/DD HH:MM "2026/04/12 17:41"
-r Time lock end Date/time YYYY/MM/DD HH:MM "2027/04/12 17:36"

Time locks (-l and -r) are used together to define an access window during which decryption is allowed.

Operations

Encrypt (-e)

Use -e followed by the data to encrypt.

Decrypt (-d)

Use -d followed by the encrypted data to decrypt. The same locks used during encryption must be provided for decryption.

Output Flags

Flag Purpose
--PlainText Output as plain text

Always include --PlainText for readable output.

Sensitive Data Handling (MANDATORY)

The request body contains sensitive data (plaintext, PINs, passwords). The same protection applied to the API key applies to ALL sensitive values:

  • Never pass the JSON body via -d '...' on the command line. The -d argument is visible in ps and shell history, which would expose plaintext data, PINs, and passwords.
  • Always pipe the body via stdin using -d @-. This keeps all sensitive values out of the process argument list.
  • Use a heredoc (\x3C\x3C'EOF') to build the JSON body and pipe it into curl.

Building the curl Command

Construct the args array by mapping user requirements to flags. Order within the array doesn't matter, but group related flags and their values together for readability.

All examples use -d @- (read body from stdin) so that neither the API key, plaintext data, PINs, nor passwords appear on the command line, in shell history, or in ps output.

Encrypt with pin lock only:

cat \x3C\x3C'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-
{"args":["-e","\x3CDATA>","-1","\x3CPIN>","--PlainText"]}
EOF

Encrypt with all locks:

cat \x3C\x3C'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-
{"args":["-e","\x3CDATA>","-w","\x3CPASSWORD>","-1","\x3CPIN>","-2","\x3CPHONE>","-l","\x3CSTART_DATE>","-r","\x3CEND_DATE>","--PlainText"]}
EOF

Decrypt:

cat \x3C\x3C'EOF' | curl -s https://api.lesecure.ai/exec \
  -H "Authorization: Bearer $LESECURE_API_KEY" \
  -H "Content-Type: application/json" \
  -d @-
{"args":["-d","\x3CENCRYPTED_DATA>","-1","\x3CPIN>","--PlainText"]}
EOF

Workflow

  1. Preflight the requirements from the Requirements section above. Specifically, confirm $LESECURE_API_KEY is set. If it is not set, show the user the one-time setup block and stop — do not proceed, do not ask the user to paste the key into chat.
  2. Data-transmission disclosure (first use only). On the first encrypt/decrypt in a session, inform the user: "This will send your data to api.lesecure.ai over HTTPS for encryption/decryption." Proceed only after acknowledgment.
  3. Gather non-secret inputs from the user:
    • The data to encrypt or decrypt
    • Which locks to apply (pin, password, MFA, time window) and their values
    • Always include --PlainText (Do NOT ask for the API key — it comes from the environment.)
  4. Build the args array with the appropriate flags and values.
  5. Execute the curl command via Bash using the cat \x3C\x3C'EOF' | curl ... -d @- pattern. Never use inline -d '...'. This keeps all sensitive data (plaintext, PINs, passwords) out of ps output and shell history.
  6. If decrypting, remind the user they need the same lock values that were used during encryption.

Important Notes

  • Phone numbers for MFA (-2) should be in E.164 format (e.g., +19199870623).
  • Time lock dates use the format YYYY/MM/DD HH:MM. See the "Date & Time Rules" section above — always EST/EDT, always +2 min buffer on start.
  • Time locks require both -l (start) and -r (end) to define the access window.
  • If the API returns an error, show the response to the user and help them troubleshoot (common issues: wrong lock values for decryption, expired time window, invalid API key). Do not include the API key in any troubleshooting output.
Usage Guidance
This skill appears to do what it says: call a LESecure cloud API to encrypt/decrypt plaintext using an API key. Before installing, consider: (1) All plaintext you send (and any lock data you provide) will go to api.lesecure.ai — don't send highly sensitive data unless you trust their privacy/policy and have verified the project. (2) Provide the API key via a secure secret manager or an environment variable; avoid pasting keys into chat. Note the SKILL.md's claim that the key is never placed on the command line is optimistic: if the agent expands $LESECURE_API_KEY into a curl header it can still appear in process args or logs depending on execution context, so prefer secret manager injection or LESecureLocal for very sensitive material. (3) The one-time interactive setup (read -rs) may not work for non-interactive agents — verify how your agent runtime will supply the env var. (4) Test with non-sensitive sample data first and rotate the key immediately if it’s ever pasted into chat or otherwise exposed.
Capability Analysis
Type: OpenClaw Skill Name: lesecurecl Version: 1.0.4 The LESecureCl skill is a well-documented interface for a cloud-based encryption API (api.lesecure.ai). It follows security best practices by instructing the agent to use environment variables for API keys and piping sensitive data to curl via stdin (using heredocs) to prevent exposure in process lists or shell history. The skill includes mandatory data-transmission disclosures, requires user acknowledgment before first use, and explicitly redirects file-based operations to a local-only alternative (LESecureLocal) to minimize risk.
Capability Tags
requires-oauth-tokenrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
Name/description ask to encrypt/decrypt plaintext via LESecure cloud. Required tools (curl, python3) and a single API key (LESECURE_API_KEY) are proportionate and expected for calling a REST API and computing time-lock windows.
Instruction Scope
SKILL.md is instruction-only and stays on-topic: it restricts cloud usage to plaintext, forbids file encryption (redirects to LESecureLocal), documents whatsent to the API, and mandates informing the user before sending data. Minor issues: it prescribes an interactive one-time shell prompt (read -rs) which may not be practical for non-interactive agent environments, and it contains mixed guidance about accepting pasted keys into chat vs. never asking for them.
Install Mechanism
No install spec or code files — lowest-risk instruction-only skill; nothing is downloaded or written to disk by the skill itself.
Credentials
Only one credential (LESECURE_API_KEY) is required which is appropriate. However the doc's claim that the key is 'never written on the command line' conflicts with the listed usage (inserting $LESECURE_API_KEY into a curl header). Substituting the env var into a curl argument can expose the literal token in process arguments or logs depending on how the agent executes commands. The guidance to prefer secret managers and not to paste keys into chat is correct and should be followed.
Persistence & Privilege
Skill is not always-enabled and does not request persistent elevated privileges or access to other skills' configurations. It does not write to system config paths or require unusual persistence.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install lesecurecl
  3. After installation, invoke the skill by name or use /lesecurecl
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
LESecureCl v1.0.4 - Added explicit warnings and recommendations about sending sensitive data to the third-party API endpoint, including links to source, privacy, and documentation. - Requirements now specify Python 3.9+ (for the built-in `zoneinfo` module used in EST/EDT time calculations). - Clarified that the cloud skill is for plaintext only, and explained options to use LESecureLocal for on-device processing if privacy concerns exist. - Improved API key and environment variable security guidance, with additional instructions for secure long-term storage and reminders on key rotation if exposure occurs. - Enhanced onboarding flow: users must acknowledge the remote transmission on first use, and are advised to test with non-sensitive data first.
v1.0.3
LESecureCl 1.0.3 Changelog - Added a "Data Transmission Notice" informing users that plaintext and lock data are sent over HTTPS to api.lesecure.ai and requiring acknowledgment before proceeding. - Enhanced sensitive data handling: Now requires all request bodies (containing plaintext, PINs, passwords) to be piped via stdin (`-d @-`) instead of passing JSON through the command line, to prevent exposure in process lists or shell history. - Clarified and tightened security requirements for both transmitted data and API key usage to further reduce risk of local data leakage.
v1.0.2
**LESecureCl 1.0.2 Changelog** - Added strict requirements checking: Now verifies `curl`, `python3`, and the `LESECURE_API_KEY` environment variable before any operation; stops if any are missing. - Improved API key handling: Only accepts API keys via the environment variable (`LESECURE_API_KEY`) and never asks users to paste keys into chat. - Enhanced user privacy: Clarified that the skill never logs, prints, or writes the API key; emphasizes single-session use if key is pasted. - Minor clarifications and stricter instructions about secrets, setup, and available system tools. - No changes to routing or encryption logic.
v1.0.1
**Enhancement: API key handling and cross-platform time calculation** - API key usage is now safer: do not interpolate keys directly in `curl` commands; require use of environment variables; never echo or log the key. - Added explicit, cross-platform Python commands for date/time calculation; fall back to `date` only if Python is unavailable. - Updated usage examples and instructions to reference environment variables for API authentication. - Remind users to rotate or protect their API key if they paste it directly.
v1.0.0
LESecureCl 1.0.0 — Initial Release - Adds encryption and decryption of plain text via the LESecure API with combinable security locks (PIN, password, MFA, time-based). - Implements strict routing: plaintext handled in cloud; files/folders always directed to LESecure Local. - Automatic time window handling in EST/EDT, with a +2 minute buffer for start times. - Guides user to specify security lock types and values, API key, and output preferences for each operation. - Returns readable plain text output and provides clear error feedback, including troubleshooting steps.
Metadata
Slug lesecurecl
Version 1.0.4
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is LeSecure Cloud?

LESecure Cloud Skills — encrypt or decrypt data using the LESecure API with layered locks (pin, password, MFA, time lock). Use this skill whenever the user m... It is an AI Agent Skill for Claude Code / OpenClaw, with 101 downloads so far.

How do I install LeSecure Cloud?

Run "/install lesecurecl" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is LeSecure Cloud free?

Yes, LeSecure Cloud is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does LeSecure Cloud support?

LeSecure Cloud is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created LeSecure Cloud?

It is built and maintained by Ladhe's Encryption - LE (@spalgorithm); the current version is v1.0.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments