Official Verified

ipeaky

Secure API key management for OpenClaw. Store, list, test, and delete API keys without exposing them in chat history. Keys are stored directly in openclaw.json via gateway config.patch — fully native integration. Use when a user needs to provide, manage, or test API keys (e.g., OpenAI, ElevenLabs, Anthropic, Brave, or any service). Triggers on phrases like "add API key", "store my key", "manage keys", "test my key", "set up API key", or when a skill requires an API key that isn't configured.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/christiancattaneo/ipeaky

Download Source Code (.zip)

ipeaky — Secure API Key Management

Keys are stored directly in OpenClaw's native config (openclaw.json) via gateway config.patch. This means every skill that declares primaryEnv automatically picks up the key — zero manual wiring.

Key Map — Service to Config Path

Service	Config Path	primaryEnv
OpenAI	`skills.entries.openai-whisper-api.apiKey`	OPENAI_API_KEY
ElevenLabs	`skills.entries.sag.apiKey`	ELEVENLABS_API_KEY
Brave Search	`tools.web.search.apiKey`	BRAVE_API_KEY
Gemini	`skills.entries.nano-banana-pro.apiKey`	GEMINI_API_KEY
Google Places	`skills.entries.goplaces.apiKey`	GOOGLE_PLACES_API_KEY
Notion	`skills.entries.notion.apiKey`	NOTION_API_KEY
ElevenLabs Talk	`talk.apiKey`	(direct)
Custom skill	`skills.entries.<skill-name>.apiKey`	(per skill)
Custom env	`skills.entries.<skill-name>.env.<VAR_NAME>`	(arbitrary)

Important: Some keys serve multiple skills. OpenAI key is used by openai-whisper-api, openai-image-gen, etc. ElevenLabs key is used by sag and talk. When storing, set ALL relevant config paths for that key.

Storing Keys (v4 — Single Paste, Zero Exposure) ⭐ PREFERRED

One popup. Paste everything. Regex parses. One save. One restart. Keys never touch chat or network.

bash {baseDir}/scripts/store_key_v4.sh "<SERVICE_NAME>" "<config_prefix>"

Examples:

# X API keys (consumer key + secret + bearer in one paste)
bash {baseDir}/scripts/store_key_v4.sh "X API" "skills.entries.x-twitter.env"

# Any service — user pastes in any format:
#   consumer key: abc123
#   secret: xyz789
#   bearer token: AAAA...

The script:

Shows ONE macOS popup — user pastes all keys in any format
Local Python regex parses key-value pairs (no AI, no network)
Confirmation popup: "Found 3 keys: X, Y, Z — Store all?"
ONE openclaw config set batch → ONE gateway restart
Keys never appear in chat, logs, or shell history

Supported input formats:

key_name: value or key_name = value
KEY_NAME=value
Bare tokens on separate lines (auto-labeled in order)
Mixed formats in one paste

Storing a Key (v3 — Zero Exposure)

Use the v3 script. The agent NEVER sees the key. The script handles popup + storage directly.

bash {baseDir}/scripts/store_key_v3.sh "<SERVICE_NAME>" "<config_path1>" ["<config_path2>" ...]

Examples:

# Brave Search
bash {baseDir}/scripts/store_key_v3.sh "Brave Search" "tools.web.search.apiKey"

# OpenAI (multiple paths)
bash {baseDir}/scripts/store_key_v3.sh "OpenAI" "skills.entries.openai-whisper-api.apiKey"

# ElevenLabs (sag + talk)
bash {baseDir}/scripts/store_key_v3.sh "ElevenLabs" "skills.entries.sag.apiKey" "talk.apiKey"

Read Full Documentation on GitHub

Metadata

Author@christiancattaneo

Stars3683

Updated2026-04-01

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-christiancattaneo-ipeaky": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

reckit

Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, mutation-test, and cross-verify before shipping. Language-agnostic. Framework-agnostic. Now with Swift/iOS support. Use when: (1) Building new projects and need verified, tested code ("build X with tests"), (2) Migrating/rebuilding codebases ("rewrite in TypeScript"), (3) Fixing bugs with proof nothing else broke ("fix this bug, verify no regressions"), (4) Auditing existing code quality ("audit this project", "how good are these tests?"), (5) Any request mentioning "reckit", "wreckit", "mutation testing", "verification", "proof bundle", "code audit", or "bulletproof". Produces a proof bundle (.wreckit/) with gate results and Ship/Caution/Blocked verdict.

christiancattaneo 3683

wreckit

Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, mutation-test, and cross-verify before shipping. Language-agnostic. Framework-agnostic. Use when: (1) Building new projects and need verified, tested code ("build X with tests"), (2) Migrating/rebuilding codebases ("rewrite in TypeScript"), (3) Fixing bugs with proof nothing else broke ("fix this bug, verify no regressions"), (4) Auditing existing code quality ("audit this project", "how good are these tests?"), (5) Any request mentioning "wreckit", "mutation testing", "verification", "proof bundle", "code audit", or "bulletproof". Produces a proof bundle (.wreckit/) with gate results and Ship/Caution/Blocked verdict.

christiancattaneo 1947