功能描述

Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage. Triggers: "key vault", "SecretClient", "KeyClient", "CertificateClient", "secrets", "encryption keys".

使用说明 (SKILL.md)

Azure Key Vault SDK for Python

Name: Azure Keyvault Py
Author: thegovind

Secure storage and management for secrets, cryptographic keys, and certificates.

Installation

# Secrets
pip install azure-keyvault-secrets azure-identity

# Keys (cryptographic operations)
pip install azure-keyvault-keys azure-identity

# Certificates
pip install azure-keyvault-certificates azure-identity

# All
pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity

Environment Variables

AZURE_KEYVAULT_URL=https://\x3Cvault-name>.vault.azure.net/

Secrets

SecretClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)

Secret Operations

# Set secret
secret = client.set_secret("database-password", "super-secret-value")
print(f"Created: {secret.name}, version: {secret.properties.version}")

# Get secret
secret = client.get_secret("database-password")
print(f"Value: {secret.value}")

# Get specific version
secret = client.get_secret("database-password", version="abc123")

# List secrets (names only, not values)
for secret_properties in client.list_properties_of_secrets():
    print(f"Secret: {secret_properties.name}")

# List versions
for version in client.list_properties_of_secret_versions("database-password"):
    print(f"Version: {version.version}, Created: {version.created_on}")

# Delete secret (soft delete)
poller = client.begin_delete_secret("database-password")
deleted_secret = poller.result()

# Purge (permanent delete, if soft-delete enabled)
client.purge_deleted_secret("database-password")

# Recover deleted secret
client.begin_recover_deleted_secret("database-password").result()

Keys

KeyClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)

Key Operations

from azure.keyvault.keys import KeyType

# Create RSA key
rsa_key = client.create_rsa_key("rsa-key", size=2048)

# Create EC key
ec_key = client.create_ec_key("ec-key", curve="P-256")

# Get key
key = client.get_key("rsa-key")
print(f"Key type: {key.key_type}")

# List keys
for key_properties in client.list_properties_of_keys():
    print(f"Key: {key_properties.name}")

# Delete key
poller = client.begin_delete_key("rsa-key")
deleted_key = poller.result()

Cryptographic Operations

from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

# Get crypto client for a specific key
crypto_client = CryptographyClient(key, credential=credential)
# Or from key ID
crypto_client = CryptographyClient(
    "https://\x3Cvault>.vault.azure.net/keys/\x3Ckey-name>/\x3Cversion>",
    credential=credential
)

# Encrypt
plaintext = b"Hello, Key Vault!"
result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
ciphertext = result.ciphertext

# Decrypt
result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
decrypted = result.plaintext

# Sign
from azure.keyvault.keys.crypto import SignatureAlgorithm
import hashlib

digest = hashlib.sha256(b"data to sign").digest()
result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
signature = result.signature

# Verify
result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature)
print(f"Valid: {result.is_valid}")

Certificates

CertificateClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = "https://\x3Cvault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)

Certificate Operations

# Create self-signed certificate
policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate("my-cert", policy=policy)
certificate = poller.result()

# Get certificate
certificate = client.get_certificate("my-cert")
print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")

# Get certificate with private key (as secret)
from azure.keyvault.secrets import SecretClient
secret_client = SecretClient(vault_url=vault_url, credential=credential)
cert_secret = secret_client.get_secret("my-cert")
# cert_secret.value contains PEM or PKCS12

# List certificates
for cert in client.list_properties_of_certificates():
    print(f"Certificate: {cert.name}")

# Delete certificate
poller = client.begin_delete_certificate("my-cert")
deleted = poller.result()

Client Types Table

Client	Package	Purpose
`SecretClient`	`azure-keyvault-secrets`	Store/retrieve secrets
`KeyClient`	`azure-keyvault-keys`	Manage cryptographic keys
`CryptographyClient`	`azure-keyvault-keys`	Encrypt/decrypt/sign/verify
`CertificateClient`	`azure-keyvault-certificates`	Manage certificates

Async Clients

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    
    async with client:
        secret = await client.get_secret("my-secret")
        print(secret.value)

import asyncio
asyncio.run(get_secret())

Error Handling

from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
    secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
    print("Secret not found")
except HttpResponseError as e:
    if e.status_code == 403:
        print("Access denied - check RBAC permissions")
    raise

Best Practices

Use DefaultAzureCredential for authentication
Use managed identity in Azure-hosted applications
Enable soft-delete for recovery (enabled by default)
Use RBAC over access policies for fine-grained control
Rotate secrets regularly using versioning
Use Key Vault references in App Service/Functions config
Cache secrets appropriately to reduce API calls
Use async clients for high-throughput scenarios

安全使用建议

Things to consider before installing: (1) Provenance — the skill has no listed source or homepage; prefer official Microsoft/published sources. (2) Environment mismatch — SKILL.md requires AZURE_KEYVAULT_URL and implicitly uses DefaultAzureCredential (which can consume AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, Azure CLI tokens, managed identity). The registry metadata did not declare those — verify expected env/credentials before use. (3) Privilege scope — the sample code shows reading secret values and performing destructive actions (delete/purge). Only grant the minimum Azure identity permissions required (use a limited service principal with least privilege rather than broad credentials). (4) Autonomy — the agent may invoke the skill automatically; if you allow that, be confident in credential granularity and the skill owner. (5) If you need higher assurance, ask the publisher for a homepage/repo and confirm the SKILL.md matches an official azure-keyvault SDK example.

功能分析

Type: OpenClaw Skill Name: azure-keyvault-py Version: 0.1.0 The skill bundle provides documentation and code examples for interacting with Azure Key Vault using the official Python SDKs. All installation commands and Python code snippets in `SKILL.md` are standard and demonstrate legitimate usage of the Azure Key Vault services. There is no evidence of prompt injection, malicious execution, data exfiltration, persistence mechanisms, or suspicious external network calls. The dependencies listed are official Azure SDK packages, and the environment variable setup is for a legitimate Azure Key Vault URL.

能力评估

ℹ Purpose & Capability

The SKILL.md is a legitimate set of instructions for the Azure Key Vault Python SDK (secrets, keys, certificates) and the listed pip packages align with that purpose. However the registry metadata claims no required environment variables or primary credential while the instructions reference AZURE_KEYVAULT_URL and rely on DefaultAzureCredential, so the declared requirements do not fully match the actual usage. Source/homepage is missing which reduces provenance.

ℹ Instruction Scope

Instructions stay within Key Vault operations (set/get/list/delete secrets, manage keys/certificates, crypto ops). They explicitly access secret values (including cert private-key material via secrets) and show destructive operations (purge, delete). They do not instruct reading unrelated local files, but they do rely on authentication behavior (DefaultAzureCredential) that may cause the agent to use any available local Azure credentials/tokens.

✓ Install Mechanism

No install spec in registry (instruction-only). SKILL.md recommends pip installing official azure-keyvault-* and azure-identity packages from PyPI, which is expected and proportionate for a Python SDK integration.

⚠ Credentials

Registry metadata lists no required env vars, but SKILL.md references AZURE_KEYVAULT_URL and uses DefaultAzureCredential. DefaultAzureCredential can pull credentials from multiple sources (AZURE_CLIENT_ID/CLIENT_SECRET/TENANT_ID env vars, Azure CLI tokens, managed identity, developer tooling). The skill therefore implicitly requires/consumes sensitive credentials but fails to declare them, which is disproportionate and risky.

ℹ Persistence & Privilege

always is false and the skill is user-invocable (normal). disable-model-invocation is false so the agent could call the skill autonomously — by itself this is a platform default, but combined with the skill's ability to access and delete secrets it increases potential impact. The skill does not request persistent installation or system-wide config changes.

版本历史

v0.1.0

- Initial release of azure-keyvault-py skill. - Provides an overview and setup instructions for Python Azure Key Vault SDKs: secrets, keys, and certificates. - Includes usage examples for SecretClient, KeyClient, CryptographyClient, and CertificateClient. - Documents installation, authentication, environment variables, and error handling. - Lists best practices and usage tips for secure key vault integration.

元数据

Slug azure-keyvault-py

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Azure Keyvault Py 是什么？

Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage. Triggers: "key vault", "SecretClient", "KeyClient", "CertificateClient", "secrets", "encryption keys". 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1602 次。

如何安装 Azure Keyvault Py？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install azure-keyvault-py」即可一键安装，无需额外配置。

Azure Keyvault Py 是免费的吗？

是的，Azure Keyvault Py 完全免费（开源免费），可自由下载、安装和使用。

Azure Keyvault Py 支持哪些平台？

Azure Keyvault Py 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Azure Keyvault Py？

由 thegovind（@thegovind）开发并维护，当前版本 v0.1.0。

Azure Keyvault Py