← 返回 Skills 市场
232
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install mjolnir-credential-vault
功能描述
GPG AES-256 encrypted credential management. Requires: GPG (gnupg) installed, Python 3.8+, CRED_MASTER_PASS env var for non-interactive use. Use when the use...
安全使用建议
This credential vault is internally coherent and implements a local GPG-encrypted file approach. Before installing or using it, consider the following: (1) Prefer interactive entry via gpg-agent/pinentry rather than exporting CRED_MASTER_PASS — environment variables can be read by other same-user processes on Linux (/proc/*/environ). (2) The tool creates a plaintext JSON temp file for a short time; on systems without encrypted tmpfs this can be recoverable — consider mounting /tmp as tmpfs or setting TMPDIR to a ram-backed location if you need stronger guarantees. (3) The helper prints secrets to stdout; avoid running it in contexts where other processes could capture stdout, and avoid exposing secrets in logs. (4) This is single-user, local storage (no key rotation, no tamper detection) — for enterprise or multi-tenant use consider an OS keyring, HashiCorp Vault, or cloud KMS. (5) Review the included scripts before use and keep the credential file and skill directory permissions restricted (600/owner-only). If you cannot accept the env-var and temp-file trade-offs, do not use the non-interactive mode and prefer interactive gpg-agent/pinentry flows.
功能分析
Type: OpenClaw Skill
Name: mjolnir-credential-vault
Version: 1.3.1
The skill provides a GPG-encrypted credential vault that follows several security best practices in its Python implementation (cred_manager.py), such as using --passphrase-fd to avoid process-list leaks and implementing secure temporary file deletion. However, the shell helper script (scripts/cred_helper.sh) contains a critical command injection vulnerability where shell variables ($service and $key) are directly interpolated into a Python one-liner's string literals. This flaw allows for arbitrary code execution if service names are maliciously crafted, meeting the criteria for a 'suspicious' classification due to high-risk vulnerabilities.
能力评估
Purpose & Capability
Name/description (GPG AES-256 credential manager) matches the code and runtime requirements: Python + gpg + optional CRED_MASTER_PASS. The included scripts implement the stated init/add/get/list/remove operations; no unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md and scripts instruct only to create/read/update a local encrypted file and to set or prompt for a master password. They reference only the skill directory and the CRED_MASTER_PASS env var. There is no instruction to read unrelated files, exfiltrate data, or call external endpoints.
Install Mechanism
No install spec (instruction-only) and shipped code is plain Python/bash. Nothing is downloaded or executed from a remote URL. This minimizes install-time risk.
Credentials
Only a single env var (CRED_MASTER_PASS) is required which aligns with the stated non-interactive usage. This is proportionate, but the skill explicitly warns that environment variables are readable by same-user processes via /proc on Linux and that temporary plaintext JSON is created briefly. Those are real, expected risks (not evidence of misbehavior) and should be considered before non-interactive use.
Persistence & Privilege
Skill is not always:true and does not request system-wide config changes or extra privileges. It is user-invocable and can be called autonomously (platform default), which is normal; there is no additional persistent system modification.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mjolnir-credential-vault - 安装完成后,直接呼叫该 Skill 的名称或使用
/mjolnir-credential-vault触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.1
v1.3.1: Fix registry metadata — declare gpg/python3 required bins and CRED_MASTER_PASS env var to resolve security scan 'metadata mismatch' finding
v1.3.0
v1.3.0: Bilingual EN/CN documentation for SKILL.md, CLI output, and shell helper / 中英双语文档、CLI输出、Shell辅助脚本
v1.2.0
安全扫描全修复: Shell也改用passphrase-fd, 声明GPG依赖和CRED_MASTER_PASS环境变量, 诚实说明临时文件风险, 不再建议写入bashrc, 完整Limitations
v1.1.0
安全加固: passphrase-fd替代命令行传参, 临时文件600权限+安全删除, GPG依赖检查, 密码强度提示, 明确Limitations
v1.0.0
首次发布:GPG AES-256 加密凭证管理,Python+Shell双接口,完整CLI
元数据
常见问题
🛡️ Credential Vault / 凭证保险箱 是什么?
GPG AES-256 encrypted credential management. Requires: GPG (gnupg) installed, Python 3.8+, CRED_MASTER_PASS env var for non-interactive use. Use when the use... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 232 次。
如何安装 🛡️ Credential Vault / 凭证保险箱?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mjolnir-credential-vault」即可一键安装,无需额外配置。
🛡️ Credential Vault / 凭证保险箱 是免费的吗?
是的,🛡️ Credential Vault / 凭证保险箱 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
🛡️ Credential Vault / 凭证保险箱 支持哪些平台?
🛡️ Credential Vault / 凭证保险箱 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 🛡️ Credential Vault / 凭证保险箱?
由 king6381(@king6381)开发并维护,当前版本 v1.3.1。
推荐 Skills