secret-portal
Spin up a one-time web UI for securely entering secret keys and env vars. Supports guided instructions, single-key mode, and cloudflared tunneling.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/awlevin/secret-portalSecret Portal
Spin up a temporary, one-time-use web UI for securely entering secret keys and environment variables. No secrets ever touch chat history or terminal logs.
Quick Start
# Single key with cloudflared tunnel (recommended)
uv run --with secret-portal secret-portal \
-k API_KEY_NAME \
-f ~/.secrets/target-env-file \
--tunnel cloudflared
# With guided instructions and a link to the key's console
uv run --with secret-portal secret-portal \
-k OPENAI_API_KEY \
-f ~/.env \
-i '<strong>Get your key:</strong><ol><li>Go to platform.openai.com</li><li>Click API Keys</li><li>Create new key</li></ol>' \
-l "https://platform.openai.com/api-keys" \
--link-text "Open OpenAI dashboard →" \
--tunnel cloudflared
# Multi-key mode (no -k flag, user enters key names and values)
uv run --with secret-portal secret-portal \
-f ~/.secrets/keys.env \
--tunnel cloudflared
Options
| Flag | Description |
|---|---|
-k, --key | Pre-populate a single key name (user only enters the value) |
-f, --env-file | Path to save secrets to (default: ~/.env) |
-i, --instructions | HTML instructions shown above the input field |
-l, --link | URL button for where to get/create the key |
--link-text | Label for the link button (default: "Open console →") |
--tunnel | cloudflared (recommended), ngrok, or none |
-p, --port | Port to bind to (default: random) |
--timeout | Seconds before auto-shutdown (default: 300) |
Tunneling
Use --tunnel cloudflared — it's free, requires no account, has no interstitial pages, provides HTTPS, and auto-downloads the binary if missing.
ngrok free tier shows an interstitial warning page that blocks mobile and automated use.
Without a tunnel, the port must be open in your firewall/security group. The CLI will warn you if it detects the port is unreachable.
Security
- One-time use: portal expires after a single submission
- Token auth: URL contains a random 32-byte token
- Secret values are never printed to stdout/stderr (enforced by tests)
- Env file is written with
600permissions (owner-only) - Secrets never touch chat history or terminal logs
Source
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-awlevin-secret-portal": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
agent-chat
Temporary real-time chat rooms for AI agents. Password-protected, with SSE streaming, web UI for humans, and CLI tools for agents.
flight-search
Search Google Flights for prices, times, and airlines. No API key required.
airbnb-search
Search Airbnb listings with prices, ratings, and direct links. No user API key required (uses Airbnb's public frontend API key). Use when searching for Airbnb stays, vacation rentals, or accommodation pricing.
openapi2cli
Generate CLI tools from OpenAPI specs. Built for AI agents who hate writing curl commands.
sprite-animator
Generate animated pixel art sprites from any image using AI. Send a photo, get a 16-frame animated GIF.