← 返回 Skills 市场
jbushman

Vault Client

作者 jbushman · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
380
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vault-client
功能描述
Hashicorp Vault client for OpenClaw agents. Read and write secrets from a Vault server without raw curl commands or hardcoded tokens. Use when reading API ke...
安全使用建议
This skill appears to be a legitimate Vault client and is coherent with its description, but it stores tokens and cached secret values unencrypted under ~/.openclaw (vault.json and vault-cache.json) and will append a startup block to AGENTS.md during setup. Before installing: (1) ensure you trust the skill source; (2) use least-privileged or short-lived Vault tokens (AppRole or limited policies), not a root/admin token; (3) restrict file permissions on ~/.openclaw (chmod 600) and consider not enabling caching if you don't want secrets on disk; (4) keep tls.verify=true unless you must disable it for internal use; and (5) if you want higher assurance, provide the complete vault.js file (the supplied snippet was truncated) or a source checksum so the implementation can be fully audited — absence of the file tail reduces confidence.
功能分析
Type: OpenClaw Skill Name: vault-client Version: 1.0.0 The skill is classified as suspicious due to two main reasons: 1) The `scripts/vault.js` file's `cmdSetup` function appends a block of text containing executable commands to `~/.openclaw/workspace/AGENTS.md`. While the current content is benign documentation, this capability to modify a core agent configuration file outside its own directory is a significant vulnerability that could be exploited for prompt injection or arbitrary command execution if the appended content were malicious. 2) The `vaultRequest` function allows disabling TLS certificate verification (`rejectUnauthorized: cfg.tls?.verify !== false`), which is a security weakness that could expose communications to Man-in-the-Middle attacks. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or backdoors.
能力评估
Purpose & Capability
The skill name/description match the included code: vault.js implements get/put/list/token-info/token-renew/check/setup and uses the Vault HTTP API. There are no unrelated network endpoints, unrelated required binaries, or extraneous credentials requested.
Instruction Scope
SKILL.md tells the agent to run the included node script for setup/check/get/put/etc. The script only communicates with the configured Vault address and reads/writes files under ~/.openclaw. The setup step also appends a startup block to AGENTS.md and writes ~/.openclaw/vault.json and ~/.openclaw/vault-cache.json — this is within the declared scope but is persistent filesystem modification the user should be aware of. The documentation contains examples (e.g., reading the Kubernetes service account token) that are examples only — they are not executed by the script unless the user follows them.
Install Mechanism
No install spec or external downloads. The code uses only Node.js stdlib and no npm packages. There is no remote code fetch or archive extraction in the provided files.
Credentials
The skill declares no required environment variables and does not attempt to read unrelated system credentials. However, it stores Vault credentials (token) and secrets in plaintext JSON files under ~/.openclaw and caches secret values in ~/.openclaw/vault-cache.json. That persistent storage of sensitive material is expected for a CLI but is sensitive and should be considered when granting permissions.
Persistence & Privilege
The script writes configuration and cache files under ~/.openclaw and appends to AGENTS.md during setup. It is not marked always:true and does not modify other skills' configuration. Persistent writes are limited to the user's home directory as described.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install vault-client
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /vault-client 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Clean Vault secret access for OpenClaw agents — no curl, no hardcoded tokens. Commands: check, get, put, list, token-info, token-renew, setup. Session-level caching, AGENTS.md auto-scaffold, zero npm deps.
元数据
Slug vault-client
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Vault Client 是什么?

Hashicorp Vault client for OpenClaw agents. Read and write secrets from a Vault server without raw curl commands or hardcoded tokens. Use when reading API ke... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 380 次。

如何安装 Vault Client?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install vault-client」即可一键安装,无需额外配置。

Vault Client 是免费的吗?

是的,Vault Client 完全免费(开源免费),可自由下载、安装和使用。

Vault Client 支持哪些平台?

Vault Client 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Vault Client?

由 jbushman(@jbushman)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论