# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude.

Name: # key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude.
Author: domjeff

作者 Dominique Jeffrey Alamaro Maximilianus · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

1111

总下载

当前安装

版本数

在 OpenClaw 中安装

/install key-guard

功能描述

Security guardrail: prevents API keys from being sent to Claude. Triggers when user asks to call an external API, use a key, check credentials, read .env fil...

使用说明 (SKILL.md)

Key Guard

A security skill that ensures API keys stay local and are never sent to Claude.

When This Skill Applies

Activate whenever the user wants to:

Call an external API (OpenAI, DeepL, Oxford Dictionary, etc.)
Check if an API key is configured
Read .env, *.key, secrets.*, or any credentials file
View or edit a script (.sh, .bash, curl commands, config files) that may contain a hardcoded API key
Debug why an API call is failing

Rules (ALWAYS follow these)

NEVER read .env or key files directly — do not use bash cat .env or file read tools on any file containing keys
NEVER read script or config files directly if they might contain hardcoded API keys — use read_file_masked instead
NEVER include a key value in your response, even partially
ALWAYS use the key-guard MCP server for anything key-related

How to Use the MCP Server

The key-guard MCP server exposes five tools:

Tool 1: `list_keys`

Discover all available key names — never values.

Call: list_keys()
Returns: { keys: ["KEY_A", "KEY_B", "KEY_C"] }

Tool 2: `validate_key`

Check if a key is configured without seeing it.

Call: validate_key({ key_name: "OPENAI_API_KEY" })
Returns: { exists: true, length: 51, preview: "sk-a****", message: "Key is set" }

Tool 2: `call_api`

Make an authenticated HTTP request locally. The key is injected by the MCP server — Claude only sees the API response.

Call: call_api({
  key_name: "OPENAI_API_KEY",
  url: "https://api.openai.com/v1/models",
  method: "GET"
})
Returns: { status: 200, data: { ... API response ... } }

Tool 3: `read_file_masked`

Read a script or config file with all key values replaced by {{KEY_NAME}} placeholders. Use this instead of reading files directly.

Call: read_file_masked({ file_path: "./call.sh" })
Returns: {
  content: "curl -H 'Authorization: Bearer {{OPENAI_API_KEY}}' https://..."
}

You can now safely view and suggest edits to the non-key parts.

Tool 4: `write_file_with_keys`

Write a file back after editing, with {{KEY_NAME}} placeholders substituted with real key values locally.

Call: write_file_with_keys({
  file_path: "./call.sh",
  content: "curl -H 'Authorization: Bearer {{OPENAI_API_KEY}}' https://api.openai.com/v1/chat/completions ..."
})
Returns: { success: true, message: "File written with keys substituted locally" }

Setup Instructions (tell the user if MCP is not running)

If the MCP server hasn't been registered yet:

# Clone the repo
git clone https://github.com/your-username/key-guard.git

# Copy .env.example to .env and fill in your keys
cp .env.example .env

# Register the MCP server (run once) — replace the path with your actual clone location
/mcp add key-guard node /path/to/key-guard/key-guard.js

# Or add directly to ~/.copilot/mcp-config.json for auto-load on restart:
# {
#   "mcpServers": {
#     "key-guard": {
#       "command": "node",
#       "args": ["/path/to/key-guard/key-guard.js"]
#     }
#   }
# }

Example Workflows

User: "Is my OpenAI key set up?"

1. Call validate_key({ key_name: "OPENAI_API_KEY" })
2. Report back: "Yes, your key is set (51 chars, starts with sk-a****)"

User: "Call the OpenAI API to get word definitions"

1. Call call_api({
     key_name: "OPENAI_API_KEY",
     url: "https://api.openai.com/v1/chat/completions",
     method: "POST",
     body: { model: "gpt-4o-mini", messages: [...] }
   })
2. Use the returned response — never the key itself

User: "Show me my .env file"

Do NOT read .env directly.
Instead, call validate_key for each expected key name and show:
- Which keys are configured
- Approximate length (as a sanity check)
Never show actual values.

User: "Edit my curl script to add a header"

1. Call read_file_masked({ file_path: "./call.sh" })
   → Claude sees "curl -H 'Authorization: Bearer {{OPENAI_API_KEY}}' ..."
2. Make the requested edit to the non-key parts
3. Call write_file_with_keys({ file_path: "./call.sh", content: "\x3Cedited content with {{OPENAI_API_KEY}} still in place>" })
   → MCP substitutes the real key before writing to disk

安全使用建议

This skill implements a reasonable local-proxy approach to keep raw key values out of Claude, but several real risks remain: - call_api will send the actual key to any URL you (or the agent) specify. Only let the MCP call trusted endpoints; otherwise a malicious prompt could exfiltrate keys. - write_file_with_keys will substitute real keys and write them to any file path. That can overwrite system files or persist secrets in unexpected places; restrict usage and review paths before writing. - read_file_masked replaces key occurrences only for values >= 8 characters. Short keys may not be masked and could be exposed if files are read improperly. - validate_key reveals key length and a 4-char preview, which is partial secret leakage; if this is unacceptable, remove or change that behavior. - list_keys may not show keys that exist only in process.env (it reads .env and KG_ prefixed shell vars), which can confuse users. Before installing: - Inspect and (if desired) modify key-guard.js to restrict allowed call_api hostnames, restrict write_file_with_keys to safe directories, and tighten masking/preview behavior. - Keep the MCP process running under an unprivileged user (do not run as root) and store .env in a controlled location. - Only install/run this skill from a trusted source and avoid letting untrusted prompts or agents invoke the MCP tools. If you want a safer default, require an allowlist of target hostnames and allowed file path prefixes and remove preview/length leakage in validate_key.

功能分析

Type: OpenClaw Skill Name: key-guard Version: 1.0.1 The key-guard skill bundle is a defensive security tool designed to prevent the accidental transmission of API keys to LLM providers. It implements an MCP server (key-guard.js) that allows an AI agent to validate keys, mask secrets in local files (read_file_masked), and perform authenticated API calls locally (call_api) without the agent ever seeing the raw credentials. While the server has broad file system access and scans shell profiles like .bashrc for specific 'KG_' prefixed keys, these behaviors are transparently documented and directly support the tool's stated purpose of local secret management.

能力评估

ℹ Purpose & Capability

The skill's name/description match the included code: a local MCP server that reads local keys and performs requests so Claude never directly sees key values. Reading .env and shell profiles is necessary for the stated purpose. Minor inconsistency: list_keys/read_file_masked derive keys from .env and special-prefixed shell vars but getKey also checks process.env — list_keys may omit keys set only in process.env, which is confusing for users.

⚠ Instruction Scope

SKILL.md instructs Claude to never read key files and to call the MCP tools for key-related tasks, which is appropriate. However the MCP exposes tools that allow: (a) making authenticated requests to arbitrary URLs (call_api) which could be used to exfiltrate keys if an agent is malicious or a user instructs a call to an attacker-controlled endpoint; (b) writing files with real keys substituted (write_file_with_keys) to any path, which can overwrite arbitrary files; and (c) read_file_masked only masks keys of length >= 8 by simple string replacement—short keys are not masked and could be exposed. The SKILL.md claims 'NEVER read .env' is a rule for Claude, but the MCP server itself necessarily reads .env locally — that distinction is subtle and should be explicit in the doc.

✓ Install Mechanism

No remote install or downloads; code is included in the bundle and registration is manual via MCP config. There is no external network fetch or extract-of-remote-archive during install, which reduces risk.

⚠ Credentials

The server reads .env and several shell profile files and will substitute keys from them. That is proportionate to its goal, but there are some concerning behaviors: validate_key returns the key length and a 4-char prefix preview (partial secret leakage); read_file_masked only masks key strings >= 8 chars; write_file_with_keys will insert full secrets into arbitrary files; and call_api will attach full keys to requests to any supplied URL. These behaviors are powerful and should be constrained or limited to trusted endpoints and file paths.

✓ Persistence & Privilege

The skill does not request always:true and doesn't modify other skills or system-wide settings. It runs as a user-space MCP process when registered — normal for this use case.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install key-guard
安装完成后，直接呼叫该 Skill 的名称或使用 /key-guard 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Initial MCP server implementation added in key-guard.js for local security enforcement. - All API key management functions (including validation, API calls, safe file read/write) are now handled via the MCP tool interface. - Ensures API keys are never exposed; all key-related access is routed through the local MCP server. - Protects sensitive files and scripts by masking keys and substituting only on the local server side.

v1.0.0

key-guard v1.0.0 – Initial Release - Introduces a security guardrail to prevent API keys from ever being sent to Claude. - Detects when users request to access, view, or use API keys, and automatically reroutes these actions through the local MCP server. - Provides clear rules: never read keys or scripts containing keys directly; always use masked views and local key management. - Integrates with five MCP tools for secure key discovery, validation, API calls, masked file reads, and writing files with key substitution. - Includes comprehensive usage instructions, example workflows, and setup guidance if MCP is not registered.

元数据

Slug key-guard

版本 1.0.1

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 2

常见问题

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. 是什么？

Security guardrail: prevents API keys from being sent to Claude. Triggers when user asks to call an external API, use a key, check credentials, read .env fil... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1111 次。

如何安装 # key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude.？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install key-guard」即可一键安装，无需额外配置。

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. 是免费的吗？

是的，# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. 支持哪些平台？

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 # key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude.？

由 Dominique Jeffrey Alamaro Maximilianus（@domjeff）开发并维护，当前版本 v1.0.1。