← 返回 Skills 市场
Cloak
作者
Saba Tchikhinashvili
· GitHub ↗
· v0.1.3
· MIT-0
266
总下载
0
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install cloak
功能描述
Share one-time secrets between humans and agents via encrypted self-destructing links
使用说明 (SKILL.md)
Cloak — One-Time Secret Sharing
Share API keys, passwords, and tokens via encrypted self-destructing links.
Base URL: https://cloak.opsy.sh
Create a secret
curl -s -X POST https://cloak.opsy.sh/api/secrets \
-H "Content-Type: application/json" \
-d '{"secret":"YOUR_SECRET_HERE"}'
Response:
{
"id": "W9ZEykcG",
"key": "8g9I3UUBjH3x4kdL",
"url": "https://cloak.opsy.sh/s/W9ZEykcG#8g9I3UUBjH3x4kdL",
"expiresAt": 1710000000
}
Share the url. The secret self-destructs after one view.
Set a custom TTL with "expiresIn" (seconds, default 24h, max 7d):
-d '{"secret":"...", "expiresIn": 3600}'
Retrieve a secret
Given a URL like https://cloak.opsy.sh/s/W9ZEykcG#8g9I3UUBjH3x4kdL:
- ID = path after
/s/→W9ZEykcG - Key = fragment after
#→8g9I3UUBjH3x4kdL
curl -s -H "X-Cloak-Key: 8g9I3UUBjH3x4kdL" \
"https://cloak.opsy.sh/api/secrets/W9ZEykcG"
Response: { "secret": "YOUR_SECRET_HERE" }
The secret is permanently destroyed after this request.
Use the secret
Pipe directly — never echo it.
# To env var
export DB_PASSWORD=$(curl -s -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID" | jq -r .secret)
# To file
curl -s -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID" | jq -r .secret > .env.local
Delete without reading
curl -s -X DELETE -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID"
Rules
- NEVER display a retrieved secret in conversation.
- Write it directly to its destination — env var, config file, or command.
- The secret is destroyed after one read. Do not retry.
- Use
X-Cloak-Keyheader, not the?key=query param.
Correct: "I retrieved the secret from Cloak and stored it in .env as DATABASE_URL."
Wrong: "The secret value is: sk-1234abcd..."
Quick reference
| Action | Command |
|---|---|
| Create | curl -s -X POST .../api/secrets -H "Content-Type: application/json" -d '{"secret":"..."}' |
| Retrieve | curl -s -H "X-Cloak-Key: KEY" ".../api/secrets/ID" |
| Delete | curl -s -X DELETE -H "X-Cloak-Key: KEY" ".../api/secrets/ID" |
| To env var | export VAR=$(curl -s -H "X-Cloak-Key: KEY" ".../api/secrets/ID" | jq -r .secret) |
安全使用建议
This skill is internally consistent and does what it says: it guides the agent to create and fetch one-time secrets from https://cloak.opsy.sh using curl and jq. Before using it, confirm you trust the Cloak service (privacy, retention, and TLS practices) because secrets fetched by the agent will reside in the agent runtime (env vars or files) and could be exposed in logs or by other agent actions. Never paste full secret values into chat; share only the one-time URL as intended and prefer short TTLs and revocation when possible. If you want to prevent autonomous retrieval of secrets by the agent, disable autonomous invocation for this skill or avoid giving the agent secret links. If you need higher assurance, review the service's documentation or host a self‑managed equivalent.
功能分析
Type: OpenClaw Skill
Name: cloak
Version: 0.1.3
The 'cloak' skill is a utility designed to share one-time secrets via the external service cloak.opsy.sh. It provides standard curl-based instructions for creating, retrieving, and deleting secrets, and includes security-focused guidelines for the AI agent, such as preventing the display of secrets in chat logs and recommending direct piping to environment variables or files. While it involves sending sensitive data to a third-party endpoint, this behavior is transparently documented and aligned with the skill's stated purpose.
能力评估
Purpose & Capability
Name/description (one-time secret sharing) match the runtime instructions: curl/jq commands to POST secrets, retrieve with X-Cloak-Key, and delete. Required binaries (curl, jq) are appropriate and proportional.
Instruction Scope
SKILL.md only directs the agent to interact with https://cloak.opsy.sh endpoints and to write retrieved secrets directly to a destination (env var or file). It explicitly prohibits echoing secrets into conversation. There are no instructions to read unrelated files, other env vars, or to transmit secrets to other endpoints.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is dropped to disk and no external packages are fetched. This is lowest-risk from an install perspective.
Credentials
The skill requests no environment variables, credentials, or config paths. The actions it requires (making HTTPS requests and piping output through jq) do not need additional secrets from the runtime beyond the one-time secret provided by the user/link.
Persistence & Privilege
always is false and there is no install or persistent configuration. The skill allows autonomous model invocation (disable-model-invocation is false) — this is the platform default. Be aware: if the agent receives a valid Cloak URL/key, it could autonomously retrieve that secret into its runtime environment; this behavior is consistent with the skill's purpose but is a privacy/operational risk to consider.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cloak - 安装完成后,直接呼叫该 Skill 的名称或使用
/cloak触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.3
Release 0.1.3
v0.1.2
Release 0.1.2
v0.1.1
Patch release — CI fixes, README rewrite
v0.1.0
Initial release
元数据
常见问题
Cloak 是什么?
Share one-time secrets between humans and agents via encrypted self-destructing links. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 266 次。
如何安装 Cloak?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cloak」即可一键安装,无需额外配置。
Cloak 是免费的吗?
是的,Cloak 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Cloak 支持哪些平台?
Cloak 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cloak?
由 Saba Tchikhinashvili(@saba-ch)开发并维护,当前版本 v0.1.3。
推荐 Skills