← Back to Skills Marketplace
Secure API Calls
by
Séverin MARCOMBES
· GitHub ↗
· v1.0.3
2715
Downloads
4
Stars
14
Active Installs
4
Versions
Install in OpenClaw
/install secure-api-calls
Description
Call any API without leaking credentials. Keychains proxies requests and injects real tokens server-side — your agent never sees them.
Usage Guidance
This skill appears internally consistent: it installs the Keychains CLI via npm and instructs the agent to route API calls through keychains.dev using placeholder tokens. Before installing, verify you trust the Keychains service and the npm package maintainer (review the package source, maintainers, and recent versions). Understand that the CLI will create a local keypair (~/.keychains/) and that full request metadata (URL, headers, body) will be proxied to keychains.dev — only placeholders are meant to contain secrets, but accidental inclusion of real secrets in other parts of a request would expose them to the proxy. If you require higher assurance, review the keychains npm package code, audit network traffic during a test run, pin the package version, and confirm the Keychains privacy/security documentation and ownership. Also note user-invocable:false and that autonomous model invocation is allowed by default — if you do not want an agent to call this skill without explicit user action, disable model invocation or avoid installing the skill.
Capability Analysis
Type: OpenClaw Skill
Name: secure-api-calls
Version: 1.0.3
The skill is classified as suspicious due to its reliance on installing a global npm package (`[email protected]`) and the local generation of an Ed25519 SSH keypair in `~/.keychains/` by the `keychains` CLI, as detailed in `SKILL.md`. While the skill's stated purpose is to enhance security by abstracting credentials via a proxy service (`keychains.dev`), these operations introduce significant supply chain risks and trust requirements. If the `keychains` package or the `keychains.dev` service were compromised, it could lead to unauthorized access or credential leakage, despite the skill's explicit claims of security and privacy.
Capability Assessment
Purpose & Capability
Name/description, required binary ('keychains'), and the npm install step all align: the skill is a wrapper around the Keychains CLI/SDK to proxy credentials server-side. There are no unrelated binaries or environment variables requested.
Instruction Scope
SKILL.md confines actions to installing/using the keychains CLI/SDK and instructs the agent to send requests through keychains.dev (using placeholders like {{OAUTH2_ACCESS_TOKEN}}). This is consistent with the stated purpose. It does, however, direct the tool to create local machine keys (~/.keychains/) and route full request metadata (URL, headers, body) via keychains.dev — meaning request payloads are sent to a third-party proxy. This is expected for the service but worth explicit user trust consideration.
Install Mechanism
Install uses npm ([email protected]) to create a 'keychains' binary. npm is an expected distribution mechanism for a CLI/SDK; no arbitrary download URLs or extract steps are used. Installing globally requires write permissions and will add a binary to the system PATH.
Credentials
The skill declares no required environment variables or external credentials, which is coherent because Keychains uses placeholders and a remote vault. The skill will generate local keys (~/.keychains) for machine auth; that is proportionate to the stated SSH challenge-response authentication mechanism.
Persistence & Privilege
The skill does not request always:true and does not ask for extra system privileges, but it will create persistent local state (~/.keychains/) and communicates with an external proxy service. Autonomous model invocation remains enabled (default), so an agent could call this skill to proxy requests; consider the privacy/trust implications of allowing autonomous calls that send request bodies to keychains.dev.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install secure-api-calls - After installation, invoke the skill by name or use
/secure-api-calls - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
- SKILL.md significantly updated for clarity, conciseness, and easier onboarding.
- Audience refocus: emphasizes agent and end-user security, user control, and setup simplicity.
- Adds quick start, usage, troubleshooting, and explicit security sections.
- Highlights install command, service requirements, and provider compatibility.
- Updates metadata for improved integration and discoverability.
- Removes older SKILL.md sections now superseded by new structured documentation.
v1.0.2
- Updated CLI usage: now recommends installing the CLI globally with `npm install -g [email protected]` and using the `keychains` command instead of `npx -y [email protected]`.
- Updated environment variable instructions: `KEYCHAINS_TOKEN` should be minted using `keychains token` instead of the previous `npx` command.
- Added links to source code, privacy policy, and terms of service in the metadata.
- Documentation improvements for clarity and up-to-date examples.
v1.0.1
- Added detailed metadata fields: homepage, security info, installs, env variables, config paths, and explicit permissions.
- CLI and SDK install commands updated to pin version to 0.0.13 for security
- Environment variable usage clarified for KEYCHAINS_TOKEN, especially for SDKs.
- Explicit config file paths and their purposes listed for better transparency.
- Permissions and network access explicitly documented.
- No changes to core functionality or usage instructions.
v1.0.0
- Initial release of Secure API Calls skill.
- Enables calling any API without exposing credentials.
- Uses Keychains.dev as a trusted proxy to inject OAuth/API keys server-side.
- Supports CLI, TypeScript (Machine & Client SDKs), and Python.
- Credentials are never accessible by the agent; users remain in control and can revoke access at any time.
- Compatible with 5,500+ API providers.
Metadata
Frequently Asked Questions
What is Secure API Calls?
Call any API without leaking credentials. Keychains proxies requests and injects real tokens server-side — your agent never sees them. It is an AI Agent Skill for Claude Code / OpenClaw, with 2715 downloads so far.
How do I install Secure API Calls?
Run "/install secure-api-calls" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Secure API Calls free?
Yes, Secure API Calls is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Secure API Calls support?
Secure API Calls is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Secure API Calls?
It is built and maintained by Séverin MARCOMBES (@smarcombes); the current version is v1.0.3.
More Skills