← 返回 Skills 市场
A2A Vault
作者
Lê Minh Hiếu
· GitHub ↗
· v2.0.0
469
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install a2a-vault
功能描述
Zero-knowledge secrets management via PassBox — store, retrieve, rotate, and inject credentials securely.
使用说明 (SKILL.md)
A2A Vault (PassBox)
Zero-knowledge secrets management. Store API keys, tokens, and credentials with client-side encryption. The server never sees plaintext values.
Quick Start
Store a secret:
Use passbox_set_secret with vault "my-project", key "API_KEY", value "sk-abc123"
Retrieve a secret:
Use passbox_get_secret with vault "my-project", key "API_KEY"
Available Tools
Secret Operations
| Tool | Description |
|---|---|
passbox_get_secret |
Retrieve and decrypt a secret |
passbox_set_secret |
Create or update a secret (encrypted before upload) |
passbox_list_secrets |
List secret names (values not returned) |
passbox_delete_secret |
Delete a secret |
passbox_rotate_secret |
Trigger manual secret rotation |
Vault Management
| Tool | Description |
|---|---|
passbox_list_vaults |
List all available vaults |
passbox_list_environments |
List environments (dev, staging, prod) |
passbox_get_environment |
Get all secrets in an environment |
.env Integration
| Tool | Description |
|---|---|
passbox_diff_env |
Compare local .env with vault secrets |
passbox_import_env |
Import .env file into vault |
Workflows
Set up project credentials
passbox_list_vaults— see existing vaultspassbox_set_secret— store each credentialpassbox_list_secrets— verify all keys are stored
Sync .env with vault
- Read your local .env file
passbox_diff_env— see what's differentpassbox_import_env— push local secrets to vault
Environment promotion
passbox_get_environmentfor "dev"- Review values
passbox_set_secretfor each key in "staging"
Credential injection
Use with a2a_secure_execute to automatically inject secrets:
Use a2a_secure_execute with toolId "my-api-tool" and input { "apiKey": "{{API_KEY}}" }, vault "my-project"
The {{API_KEY}} placeholder is resolved from PassBox before execution.
Security Model
- Client-side encryption: Values are encrypted before leaving your device
- Zero-knowledge: The server stores only ciphertext
- Environment isolation: dev/staging/prod secrets are fully separated
- Audit trail: All access is logged
- Secret rotation: Built-in rotation support with webhooks
安全使用建议
Before installing, verify the npm package provenance and vendor: look up @a2a/openclaw-plugin on the registry, inspect its source repository and recent releases, and confirm the publisher identity. Ask the author to declare any required file paths/permissions (reading .env) and to explain how decrypted secrets are handled, logged, or transmitted (especially with passbox_get_environment and a2a_secure_execute). If you plan to use this in sensitive environments, consider restricting the agent's file access or testing in a low-risk environment first, and require explicit confirmation before any bulk export/injection of secrets. If you cannot verify the package source or the team, treat the installation as higher-risk and avoid granting the agent access to production .env files or production secrets until you have more provenance.
功能分析
Type: OpenClaw Skill
Name: a2a-vault
Version: 2.0.0
The skill bundle defines a 'a2a-vault' for zero-knowledge secrets management. All described tools (`passbox_get_secret`, `passbox_set_secret`, `passbox_import_env`, etc.) align with its stated purpose of securely storing, retrieving, and managing credentials. While the skill handles sensitive data and relies on an external Node.js plugin (`@a2a/openclaw-plugin`) for functionality, the provided files contain no evidence of malicious intent, data exfiltration, unauthorized execution, or prompt injection attempts against the agent. The capabilities, such as reading `.env` files, are explicitly part of its legitimate design.
能力评估
Purpose & Capability
Name/description (zero-knowledge secrets management) align with the listed passbox_* tools (store, retrieve, list, rotate, import .env, inject into executions). The install spec (npm package @a2a/openclaw-plugin) plausibly provides those tools.
Instruction Scope
SKILL.md explicitly instructs the agent to "Read your local .env file" and to perform bulk retrievals (passbox_get_environment) and automated injection (a2a_secure_execute). The skill declares no required config paths or file permissions, and does not constrain how retrieved plaintext secrets may be handled or transmitted. Asking the agent to read local files and resolve placeholders increases the risk of unintended exfiltration and is not declared in the metadata.
Install Mechanism
The install uses an npm package (@a2a/openclaw-plugin). That's a typical mechanism but adds moderate risk compared with instruction-only skills. There is no homepage, source repository, or release provenance in the metadata, which reduces confidence in the package's trustworthiness.
Credentials
No environment variables or credentials are requested, which is reasonable. However, the skill instructs reading local .env files and retrieving entire environment secret sets without declaring file/config access; that implicit request for local file access and bulk secret access is disproportionate to the metadata and should be explicitly declared and justified.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request persistent system-wide privileges in the manifest and does not claim to modify other skills or system configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install a2a-vault - 安装完成后,直接呼叫该 Skill 的名称或使用
/a2a-vault触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
Initial release — PassBox zero-knowledge secrets management with 10 tools
元数据
常见问题
A2A Vault 是什么?
Zero-knowledge secrets management via PassBox — store, retrieve, rotate, and inject credentials securely. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 469 次。
如何安装 A2A Vault?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install a2a-vault」即可一键安装,无需额外配置。
A2A Vault 是免费的吗?
是的,A2A Vault 完全免费(开源免费),可自由下载、安装和使用。
A2A Vault 支持哪些平台?
A2A Vault 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 A2A Vault?
由 Lê Minh Hiếu(@paparusi)开发并维护,当前版本 v2.0.0。
推荐 Skills