← 返回 Skills 市场

Vincent - Credentials

Name: Vincent - Credentials
Author: glitch003

作者 Chris Cassano · GitHub ↗ · v1.0.69 · MIT-0

cross-platform ⚠ suspicious

547

总下载

当前安装

版本数

在 OpenClaw 中安装

/install vincent-credentials

功能描述

Secure credential management for agents. Use this skill when users need to store API keys, passwords, OAuth tokens, or SSH keys and write them to .env files...

安全使用建议

This skill is coherent with its purpose but has notable runtime risks you should consider before installing: 1) Avoid using the 'agent sets value' CLI pattern shown (secret set-value --value ...) because command-line arguments and shell history can leak secrets; prefer the dashboard claim workflow where a human sets the secret. 2) The instructions rely on npx to fetch and execute @vincentai/cli (often @latest) — pin to a specific version (e.g., @vincentai/[email protected]) and audit the package source before running it in a production environment. 3) Confirm where the CLI will store keys (the declared OPENCLAW_STATE_DIR or ./credentials) and ensure those filesystems are appropriately protected and backed up/rotated. 4) Treat the 'value never appears in context' statement skeptically — it depends on how you run the CLI and your agent framework's policies. 5) Operational recommendations: restrict the agent's runtime permissions, run the CLI in an isolated environment if possible, rotate/revoke keys after use, and audit network calls from the CLI (verify it only contacts heyvincent.ai if that is a requirement). If you need help hardening usage patterns (how to pin versions, run the CLI without exposing values on the command line, or configure a safer workflow), get those details before enabling the skill.

功能分析

Type: OpenClaw Skill Name: vincent-credentials Version: 1.0.69 The skill manages sensitive credentials by interfacing with an external service (heyvincent.ai) and executing a remote CLI tool via 'npx @vincentai/cli@latest' as documented in SKILL.md. While the instructions align with the stated purpose of secure secret management, the reliance on dynamic remote code execution and the redirection of API keys/passwords to a third-party platform represent high-risk capabilities that could be leveraged for data exfiltration or supply chain attacks.

能力评估

✓ Purpose & Capability

Name/description align with the declared behavior: a credential-management helper that writes secrets to .env files and persists a CLI-scoped key under the declared credentials paths. Allowed tools (Bash with npx:@vincentai/cli*) are consistent with using a vendor CLI.

⚠ Instruction Scope

The SKILL.md repeatedly asserts 'the credential value never appears in the agent's context or stdout' but the examples show using --value on the CLI (e.g. secret set-value --value '{...}' or passing API keys on the command line). Supplying secrets as command-line arguments can expose them to shell history, process listings, CI logs, or agent logs — contradicting the stated security guarantee. The instructions also permit the agent to write .env files on disk, which is expected, but they assume agent frameworks will not read those files (a policy assumption that may not hold).

⚠ Install Mechanism

There is no install spec; the guidance relies on npx @vincentai/cli (often @latest). That causes runtime download-and-execute of npm package code (moderate-to-high risk). The skill does not advise pinning a package version or verifying integrity, increasing attack surface if the package or npm account is compromised or a malicious version is published.

ℹ Credentials

The skill requests no environment variables and declares reasonable local credential paths. That is proportionate. However, the skill persists provider-scoped API keys under the agent state dir and allows the agent to set secret values via CLI; the CLI usage demonstrated would expose secrets via command-line arguments even though no env vars are required — a usability/UX vs security mismatch to be aware of.

✓ Persistence & Privilege

always:false and no special system-wide privileges are requested. The skill stores its own credential state under the declared paths; it does not request to modify other skills or global agent configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install vincent-credentials
安装完成后，直接呼叫该 Skill 的名称或使用 /vincent-credentials 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.69

No user-visible changes in this version. - Version bumped to 1.0.69 with no file or documentation changes detected.

v1.0.68

No changes detected in this version.

v1.0.66

Version 1.0.66 Changelog - No file or documentation changes detected in this release. - Functionality, documentation, and configuration remain unchanged from the previous version.

v1.0.65

- Updated allowed Bash tools to restrict CLI invocations to Bash(npx:@vincentai/cli*) only, improving command safety. - Changed example for setting credentials from a direct REST API call to using the CLI command (npx @vincentai/cli@latest secret set-value), making credential management more consistent. - Minor copy updates and expanded CLI usage examples for clarity and accuracy.

v1.0.64

- Version bump to 1.0.64 with no file changes detected. - No updates to code or documentation. - No new features, bugfixes, or content edits in this release.

v1.0.63

- No changes detected in this version. - No file or documentation updates were made.

v1.0.62

- Version bump to 1.0.62 with no file changes detected. - No updates to code or documentation in this release.

v1.0.61

- Skill metadata updated with a more concise description, author, version, and licensing information. - Added `allowed-tools` section to specify supported runtime tools: Read, Write, Bash (npx, curl). - Enhanced triggers listed in description for better discoverability ("store credentials", "API key", etc.). - No changes to core security, workflow, or CLI usage documented in the skill guide.

v1.0.60

- No changes detected in this release. - Version 1.0.60 is functionally identical to the previous version.

v1.0.58

- Improved documentation in SKILL.md for setup, usage, and security model. - Clarified workflow for creating, claiming, and writing secrets to .env files. - Added detailed explanation of secret types and CREDENTIALS JSON format. - Provided step-by-step quick start guide with CLI and API command examples. - Documented overwrite guard and enhanced security practices. - Updated sample commands and flags for clarity and ease of use.

元数据

Slug vincent-credentials

版本 1.0.69

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 10

常见问题

Vincent - Credentials 是什么？

Secure credential management for agents. Use this skill when users need to store API keys, passwords, OAuth tokens, or SSH keys and write them to .env files... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 547 次。

如何安装 Vincent - Credentials？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install vincent-credentials」即可一键安装，无需额外配置。

Vincent - Credentials 是免费的吗？

是的，Vincent - Credentials 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Vincent - Credentials 支持哪些平台？

Vincent - Credentials 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Vincent - Credentials？

由 Chris Cassano（@glitch003）开发并维护，当前版本 v1.0.69。