← 返回 Skills 市场

Infisical Reader

Name: Infisical Reader
Author: achikochikorogaru

作者 Jau Hofu · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install infisical-reader

功能描述

Direct REST API reader for Infisical secrets. Lightweight, no middleware. Use when the agent needs to fetch API keys or credentials from Infisical.

使用说明 (SKILL.md)

Infisical

Read secrets from Infisical via REST API.

User Setup

Create Machine Identity: Organization → Access Control → Machine Identities.
Add Universal Auth to the identity → save Client ID + Client Secret.
Grant identity access to each project: Project Settings → Access Control → Identities → add as Member.
Store credentials in ~/.openclaw/.env:

INFISICAL_CLIENT_ID=\x3Cclient-id>
INFISICAL_CLIENT_SECRET=***

Agent Workflow

POST /api/v1/auth/universal-auth/login → {"clientId":"...","clientSecret":"***"} → accessToken
GET /api/v1/workspace → list projects (id, slug, environments)
GET /api/v3/secrets/raw?workspaceId=\x3Cid>&environment=\x3Cenv>&secretPath=/ → secrets

Script

# List projects
python3 {baseDir}/scripts/infisical.py --list-projects

# Read all secrets
python3 {baseDir}/scripts/infisical.py -w \x3CworkspaceId> -e prod

# Get single secret (raw value)
python3 {baseDir}/scripts/infisical.py -w \x3Cwid> -e prod -k OPENAI_API_KEY --raw

Requires INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET in ~/.openclaw/.env.

Notes

Use workspaceId (not projectSlug) — slug may not work in all API versions.
Tokens are short-lived; re-authenticate each session.
Too many failed logins temporarily locks Universal Auth.
Free tier: up to 5 Machine Identities.
Detailed API reference: see {baseDir}/references/api.md

安全使用建议

Install only if you trust the publisher and intend to let an agent access your Infisical secrets. Use a least-privilege Machine Identity, restrict it to only needed projects and environments, avoid bulk or JSON secret dumps, and do not ask the agent to print raw secrets unless absolutely necessary.

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The stated purpose is coherent: it reads Infisical secrets via REST API. The concern is that this is high-impact credential access, including commands for reading all secrets and raw single-secret values.

⚠ Instruction Scope

The activation language is broad and does not require explicit user confirmation, a named workspace/environment, or a specific secret before retrieval. The script also supports unmasked JSON output for bulk secret listings.

✓ Install Mechanism

The artifact contains documentation and one Python script. No install hooks, package installation steps, background services, or automatic execution paths were found.

ℹ Credentials

Using Infisical client credentials and outbound calls to app.infisical.com is expected for this purpose, and credentials are read from environment variables or ~/.openclaw/.env as documented.

⚠ Persistence & Privilege

The skill instructs users to store long-lived Infisical client credentials locally and then uses them to obtain bearer tokens. There is no hidden persistence, but the privilege level is sensitive and the handling guidance is thin.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install infisical-reader
安装完成后，直接呼叫该 Skill 的名称或使用 /infisical-reader 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: direct REST API secret reader for Infisical

元数据

Slug infisical-reader

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题