Official Verified developer tools Safety 5/5

secret-safe

Secure API key and secrets management for agent skills. Use this skill whenever a task requires authenticating with an external service, reading or writing API keys, tokens, passwords, or credentials of any kind. Also trigger when auditing other skills for credential leaks, when a user asks how to securely pass a secret to a skill, or when reviewing a SKILL.md that handles sensitive values. This skill teaches the agent how to handle secrets WITHOUT ever placing them in the LLM context, prompts, logs, or output artifacts — using OpenClaw's native env injection instead.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/brycexbt/secret-safe

Download Source Code (.zip)

What This Skill Does

The secret-safe skill is a foundational security component for OpenClaw agents, designed to eliminate the common vulnerability of exposing credentials within the LLM context. By enforcing strict environment-based injection patterns, this skill ensures that API keys, tokens, and passwords never touch the agent's reasoning process, history logs, or output artifacts. It provides standardized methodologies for handling sensitive authentication data, ensuring they remain encrypted in transit and at rest within the host environment rather than being stored in human-readable prompt history.

Installation

To integrate this protective layer, run the following command in your terminal: clawhub install openclaw/skills/skills/brycexbt/secret-safe Once installed, you should update your openclaw.json configuration to map your credentials to specific environment variables, ensuring the metadata frontmatter of your skill correctly defines the requires.env gate. This prevents any skill from executing unless the required security context is initialized.

Use Cases

Automated API Integration: Securing connections to services like GitHub, AWS, or OpenAI without pasting raw keys into the chat interface.
Security Audits: Scanning existing skills or developer-written instructions to identify and remediate potential credential leaks.
Enterprise Configuration: Implementing secrets manager workflows (like HashiCorp Vault, 1Password, or Keychain) where the agent fetches secrets directly into the subprocess environment, bypassing the LLM layer entirely.
Policy Enforcement: Helping developers structure their SKILL.md files to adhere to OpenClaw's security-first architectural standards.

Example Prompts

"How can I securely pass my Stripe API key to the new payment-processing skill I am building?"
"Audit my current SKILL.md file for credential exposure and suggest the correct environment injection pattern."
"Configure my agent to use the 1Password CLI to fetch my database credentials at runtime instead of hardcoding them."

Tips & Limitations

Strict Isolation: Always ensure you are using double quotes around variables in shell commands to prevent command expansion leaks.
Audit Regularly: While this skill helps mitigate risks, developers must still perform periodic manual reviews of their subprocess calls to ensure no accidental logging occurs.
Environment Only: The skill only functions correctly if the agent adheres to the principle that the LLM should never be told the value of a secret, only that a secret exists within its environment.

Read Full Documentation on GitHub

Metadata

Author@brycexbt

Stars4190

Updated2026-04-18

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-brycexbt-secret-safe": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Related Skills

doctorbot-ci-validator

Stop failing in production. Validate your GitHub Actions, GitLab CI & Keep workflows offline with surgical precision. Born from Keep bounty research, perfected for agents.

bamontejano 4473