ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

redshift

Manage application secrets with the Redshift CLI (https://redshiftapp.com) — decentralized, encrypted secret management built on Nostr. Use when setting, getting, deleting, listing, uploading, or downloading secrets, injecting secrets into commands, configuring projects/environments, or authenticating with Nostr keys. Covers redshift secrets, redshift run, redshift setup, redshift login, and related commands.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/accolver/redshift
Or

Redshift

Decentralized secret management via the redshift CLI. Secrets are client-side encrypted (NIP-59 Gift Wrap) and stored on Nostr relays — no central server.

Project homepage: https://redshiftapp.com

Key concepts

  • Project (-p): a project slug (e.g. backend, myapp)
  • Config/Environment (-c): an environment slug (e.g. dev, staging, production)
  • redshift.yaml: per-directory project config created by redshift setup
  • When -p/-c are omitted, Redshift reads from redshift.yaml in the current directory

Security considerations

  • Never pass secret values directly on the command line in shared/logged environments — prefer redshift secrets set interactively or pipe from stdin
  • Use REDSHIFT_NSEC / REDSHIFT_BUNKER env vars for CI/CD rather than CLI flags
  • Avoid redshift serve --host 0.0.0.0 unless you intend to expose the web UI to the network — default 127.0.0.1 is localhost-only
  • All encryption is client-side; secrets never leave the device unencrypted
  • Private keys are stored in the system keychain, not in plaintext config files

Authentication

redshift login                    # Interactive (recommended)
redshift login --nsec nsec1...    # Direct private key (use env var in CI instead)
redshift login --bunker "bunker://pubkey?relay=wss://relay.example&secret=xxx"  # NIP-46 (ALWAYS quote the URL)
redshift login --connect          # Generate NostrConnect URI for bunker app
redshift me                       # Check current identity
redshift logout                   # Clear credentials

CI/CD: set REDSHIFT_NSEC or REDSHIFT_BUNKER env vars instead of redshift login. These should be stored in your CI platform's secret management (e.g. GitHub Actions secrets), never hardcoded.

Project setup

redshift setup                                  # Interactive
redshift setup -p myapp -c production           # Non-interactive
redshift setup --no-interactive -p app -c dev   # Strict non-interactive

Creates redshift.yaml with project, environment, and relay list.

Secrets

# List all
redshift secrets                          # Redacted values
redshift secrets --raw                    # Show plaintext values
redshift secrets --json                   # JSON output
redshift secrets --only-names             # Names only

# Get
redshift secrets get API_KEY
redshift secrets get API_KEY --plain      # Raw value, no formatting
redshift secrets get API_KEY --copy       # Copy to clipboard
redshift secrets get KEY1 KEY2            # Multiple keys

# Set
redshift secrets set API_KEY sk_live_xxx
redshift secrets set API_KEY '123' DB_URL 'postgres://...'    # Multiple at once

# Delete
redshift secrets delete OLD_KEY
redshift secrets delete KEY1 KEY2 -y      # Skip confirmation
Read Full Documentation on GitHub

Metadata

Author@accolver
Stars4473
Views0
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-accolver-redshift": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.