← 返回 Skills 市场
968
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install keys
功能描述
Secure API key management with broker. Keys never exposed to agent context.
使用说明 (SKILL.md)
Usage
Make authenticated API calls without seeing the key:
keys-broker call '{"action":"call","service":"openai","url":"https://api.openai.com/v1/chat/completions","method":"POST","body":{"model":"gpt-4","messages":[{"role":"user","content":"Hello"}]}}'
Response:
{"ok": true, "status": 200, "body": {...}}
Supported Services
Only preconfigured services work (security: prevents key exfiltration):
openai→ api.openai.comanthropic→ api.anthropic.comstripe→ api.stripe.comgithub→ api.github.com
To add services, edit ALLOWED_URLS in keys-broker.sh.
Rules
- Never retrieve keys directly — always use
keys-broker call - Never ask user to paste keys in chat — guide them to keychain commands
Other Tasks
- First time setup → see
setup.md(installkeys-broker.sh) - Add/remove/rotate keys → see
manage.md
Limitations
Does NOT work in: Docker containers, WSL, headless Linux servers (no keychain access).
安全使用建议
This skill appears to implement a local key broker correctly and does not include hidden network endpoints or downloads. Before installing, verify the script file yourself (it is included) and only install from a source you trust. Important cautions: (1) any API key you store gives the agent the power to act as you (e.g., charge via Stripe, push to GitHub) — use least-privilege tokens and rotate them if possible; (2) do not add untrusted services to ALLOWED_URLS (editing the allowlist is how exfiltration could be enabled); (3) only use on supported desktop systems with a locked keyring (macOS Keychain or GNOME/KDE keyring) as documented; (4) ensure ~/.local/bin/keys-broker is installed with correct ownership/permissions and inspect temporary files/cleanup policy if you have high-security requirements. If you want higher assurance, run the broker under a dedicated account or use tokens scoped to minimal privileges.
功能分析
Type: OpenClaw Skill
Name: keys
Version: 1.0.0
The OpenClaw AgentSkills bundle 'keys' is designed for secure API key management, explicitly preventing key exposure to the agent. The `keys-broker.sh` script implements robust security measures including strict URL allowlisting, input validation, secure key retrieval from OS keychains, and preventing API keys from appearing in process lists by using temporary files for authentication headers. The `SKILL.md` and `manage.md` files contain explicit instructions for the AI agent to 'Never retrieve keys directly' and 'Never ask user to paste keys in chat', acting as strong prompt-injection defenses. There is no evidence of malicious intent, data exfiltration, unauthorized execution, or persistence mechanisms; instead, the design prioritizes security and key protection.
能力评估
Purpose & Capability
Name/description (key broker) matches what is included: a shell script that reads keys from the OS keychain (macOS 'security', Linux 'secret-tool') and issues HTTPS requests to pre-allowed service domains. Required binaries (curl, jq, bash) are appropriate.
Instruction Scope
SKILL.md and associated docs instruct the agent to call the broker for API calls and to manage keys via local keyring tools. The runtime instructions do not ask the agent to read unrelated files, environment variables, or send data to unexpected endpoints. The script itself performs limited checks (reads /proc/* for environment detection) which are reasonable for determining supportability.
Install Mechanism
No remote download/install is performed by the skill; installation is a local copy (docs show cp to ~/.local/bin). No external archives or third-party packages are fetched by the skill.
Credentials
No environment variables or external credentials are requested. Keys are retrieved from the OS keychain/keyring only. The number and type of system accesses (security/secret-tool, DBUS check) are proportional to the stated goal.
Persistence & Privilege
Skill is not always:true and does not modify other skills or system-wide agent settings. It runs as an on-demand local binary that accesses only the user's keychain; autonomous invocation is allowed by default but that is expected behavior for skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install keys - 安装完成后,直接呼叫该 Skill 的名称或使用
/keys触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Keys 是什么?
Secure API key management with broker. Keys never exposed to agent context. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 968 次。
如何安装 Keys?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install keys」即可一键安装,无需额外配置。
Keys 是免费的吗?
是的,Keys 完全免费(开源免费),可自由下载、安装和使用。
Keys 支持哪些平台?
Keys 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin)。
谁开发了 Keys?
由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。
推荐 Skills