← 返回 Skills 市场
basher83

Devtools Secrets

作者 basher83 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
665
总下载
1
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install devtools-secrets
功能描述
Knowledge and guardrails for the mise + fnox + infisical secrets toolchain. Use when the user asks to "configure secrets", "set up fnox", "infisical", "mise...
使用说明 (SKILL.md)

DevTools Secrets

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain.

Toolchain Validation

IMPORTANT: Check tool availability before proceeding with any guidance.

  • mise: !command -v mise >/dev/null 2>&1 && echo "INSTALLED ($(mise --version 2>/dev/null | head -1))" || echo "MISSING — install with: curl https://mise.run | sh"
  • fnox: !command -v fnox >/dev/null 2>&1 && echo "INSTALLED ($(fnox --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g fnox"
  • infisical: !command -v infisical >/dev/null 2>&1 && echo "INSTALLED ($(infisical --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g infisical"

If any tool above shows MISSING, stop and help the user install it before proceeding. Do not provide configuration guidance for tools that aren't installed.

Project Config State

  • fnox.toml: !test -f fnox.toml && echo "YES" || echo "NO (run: fnox init)"
  • .infisical.json: !test -f .infisical.json && cat .infisical.json || echo "NO (run: infisical init)"
  • mise.toml env section: !grep -A5 '^\[env\]' mise.toml 2>/dev/null || echo "No env section"

System/Global Config

  • mise global config: !test -f ~/.config/mise/config.toml && head -10 ~/.config/mise/config.toml || echo "No global mise config"
  • fnox global config: !test -f ~/.config/fnox/config.toml && head -10 ~/.config/fnox/config.toml || echo "No global fnox config"
  • infisical logged in: !infisical user get 2>/dev/null | head -3 || echo "Not logged in or not installed"

Tool Roles

Tool Role
mise Task runner + env manager. Orchestrates dev tooling, runs tasks, manages env vars through plugins.
fnox Unified secret interface. Abstracts over multiple secret backends (infisical, age, env files) with a single CLI.
infisical Remote secrets backend. Stores, syncs, and injects secrets from a central server.

These tools complement each other: infisical stores secrets remotely, fnox provides a unified local interface to them, and mise orchestrates tasks that consume secrets via fnox.

Integration Chain

The typical flow:

  1. fnox.toml defines infisical as a provider with project/environment config
  2. fnox exec -- resolves secrets from the provider and injects them as env vars
  3. mise tasks can wrap fnox exec to run commands with secrets injected
  4. Alternatively, mise env plugins can call fnox directly for auto-injection on cd

Secrets Enforcement

This project enforces secrets hygiene via always-on hooks in .claude/settings.json (not scoped to this skill):

  • block-hardcoded-secrets.py — Blocks Edit/Write operations containing hardcoded API keys, tokens, passwords, or known secret prefixes (sk-, ghp_, AKIA, xox[bpras]-)
  • block-bare-secret-exports.py — Blocks Bash commands that export secret-like env vars without wrapping in fnox exec or infisical run

These hooks are always active regardless of whether this skill is loaded.

Configuration Patterns

Detailed configuration for each tool is in the reference files:

  • @references/mise-integration.md — mise env plugins, tasks, fnox integration
  • @references/fnox-configuration.md — fnox.toml structure, providers, profiles
  • @references/infisical-patterns.md — infisical CLI, scanning, CI/CD

Gotchas

  • Order matters: fnox.toml must exist before fnox exec works. Run fnox init if missing.
  • Profile mismatches: fnox profiles (dev/staging/prod) must match infisical environment slugs. A mismatch silently returns empty secrets.
  • .infisical.json is safe to commit — it contains project IDs and workspace config, not secrets.
  • fnox.toml may contain sensitive paths — review before committing if using age-encrypted file provider.
  • mise env plugins run on cd — if a plugin calls fnox and fnox is misconfigured, you get errors on every directory change.
  • infisical auth expiresinfisical login tokens have a TTL. CI/CD should use INFISICAL_TOKEN (service token) instead.
  • Token path scope is explicit — a service token scoped to / cannot access secrets in child paths like /git_actions. Each path requires its own token or use --recursive with the CLI directly.
安全使用建议
This skill is a documentation/runbook for mise+fnox+infisical and appears internally consistent. Before letting an agent run these instructions: (1) be aware it will read local and global config files (~/..., project files) and run CLIs that may expose metadata or secrets if present; (2) do not paste service tokens or secrets into an agent prompt unless you trust the execution environment; (3) if you prefer, run the listed diagnostic commands yourself (command -v, cat, head, infisical user get) so you control what is printed; (4) consider restricting autonomous invocation or reviewing any commands the agent proposes to execute. If you want a narrower audit, provide a transcript of the exact commands the agent would run and I can point out which outputs may contain sensitive data.
功能分析
Type: OpenClaw Skill Name: devtools-secrets Version: 1.0.0 The skill bundle is classified as suspicious primarily due to a prompt injection vulnerability in `SKILL.md`. The instruction `install with: curl https://mise.run | sh` presents a significant risk of arbitrary code execution if the AI agent interprets it as an executable command rather than an informational suggestion. Additionally, `SKILL.md` explicitly instructs the agent to read user configuration files (`.infisical.json`, `~/.config/mise/config.toml`, `~/.config/fnox/config.toml`), which, while stated for validation purposes, demonstrates sensitive file access capabilities. The skill's overall purpose of managing secret toolchains inherently involves handling highly sensitive data and powerful commands, increasing its risk profile.
能力评估
Purpose & Capability
The name/description (secrets toolchain guidance) matches the instructions: the skill checks for mise/fnox/infisical, inspects project and global config files, and documents provider/env patterns. Nothing requested is outside what a secrets-configuration helper would reasonably need.
Instruction Scope
Instructions include shell checks and file reads (e.g., cat .infisical.json, head ~/.config/mise/config.toml, test for fnox.toml) and running CLI commands (e.g., infisical user get). These are coherent with diagnosing/configuring the toolchain, but they do cause the agent to read local and global config files which can contain metadata and possibly sensitive values (or tokens if present). The SKILL.md also references repo-level hooks (.claude/settings.json); this is explanatory, not an inscrutable remote endpoint.
Install Mechanism
Instruction-only skill with no install spec and no code files. No downloads or archive extraction are present, so there is no install-time risk in the skill itself.
Credentials
The skill declares no required environment variables or credentials. It does reference many env var names and CI usage patterns (INFISICAL_TOKEN, FNOX_AGE_KEY, etc.) as part of normal guidance. Because it may prompt or instruct use of these tokens for CI/testing, users should be mindful before providing sensitive credentials to any agent execution.
Persistence & Privilege
always is false, no install or self-modifying behavior, and the skill does not request persistent presence or attempt to change other skills or global agent configuration. The one caution is that the agent can invoke the skill autonomously (platform default), which is normal and expected.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install devtools-secrets
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /devtools-secrets 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of devtools-secrets 1.0.0: - Provides knowledge and guardrails for the mise + fnox + infisical secrets toolchain. - Validates tool installation before offering configuration guidance. - Outlines key project files and relevant configuration commands. - Summarizes the roles and integration chain of mise, fnox, and infisical. - Documents secrets enforcement hooks that block insecure patterns. - Lists gotchas and troubleshooting tips for typical integration issues.
元数据
Slug devtools-secrets
版本 1.0.0
许可证
累计安装 4
当前安装数 4
历史版本数 1
常见问题

Devtools Secrets 是什么?

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain. Use when the user asks to "configure secrets", "set up fnox", "infisical", "mise... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 665 次。

如何安装 Devtools Secrets?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install devtools-secrets」即可一键安装,无需额外配置。

Devtools Secrets 是免费的吗?

是的,Devtools Secrets 完全免费(开源免费),可自由下载、安装和使用。

Devtools Secrets 支持哪些平台?

Devtools Secrets 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Devtools Secrets?

由 basher83(@basher83)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论