ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

Vincent - Credentials for agents

Secure credential management for agents. Use this skill when users need to store API keys, passwords, OAuth tokens, or SSH keys and write them to .env files without exposing values. Triggers on "store credentials", "API key", "manage secrets", "write to env", ".env file", "credential", "password", "token storage".

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/glitch003/vincent-credentials
Or

Vincent - Credentials for agents

Use this skill to securely manage credentials that your application needs — API keys, passwords, OAuth tokens, SSH keys, or structured username/password pairs. The agent creates a secret, the user (or agent) sets the value, and the agent uses the CLI to write it directly to a .env file. The credential value never appears in the agent's context or stdout.

This is useful when the agent is building something that needs credentials (e.g. a third-party API key). Instead of the user pasting the credential into chat (where it enters the agent's context), they set it via the Vincent dashboard, and the agent writes it to the .env file using the CLI.

All commands use the @vincentai/cli package. API keys are stored and resolved automatically — you never handle raw keys or file paths.

Security Model

This skill is designed for keeping credentials out of the agent's context window.

How it works: The secret env CLI command fetches the credential from the Vincent server and writes it directly to a .env file on disk. The value is never printed to stdout and never appears in the agent's conversation context. Many agent frameworks blacklist reading .env files, so even though the file is on disk, the agent cannot read it back. The application the agent is building reads the .env file normally at runtime.

No environment variables are required because this skill uses agent-first onboarding: the agent creates its own credential secret at runtime by calling the Vincent API, which returns a scoped API key. The CLI stores the returned API key automatically during creation. The config paths where the key is persisted (${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/credentials/credentials/ or ./credentials/) are declared in this skill's metadata.

Overwrite guard: Once a value is set by an agent's API key, only that same API key can overwrite it. This prevents other agents or keys from tampering with the credential. The guard is enforced atomically at the database level.

All API calls go exclusively to heyvincent.ai over HTTPS/TLS. No other endpoints, services, or external hosts are contacted.

Key lifecycle:

  • Creation: The agent runs secret create with --type CREDENTIALS — the CLI stores the API key automatically and returns a keyId and claimUrl.
  • Value set: The user sets the credential value via the dashboard after claiming, or the agent sets it via the CLI.
  • Write to .env: The agent runs secret env to write the value to a .env file without exposing it.
  • Claim: The human operator uses the claim URL to take ownership and manage the secret from the dashboard.
  • Revocation: The secret owner can revoke the agent's API key at any time from https://heyvincent.ai.

Secret Types

Read Full Documentation on GitHub

Metadata

Author@glitch003
Stars2387
Views0
Updated2026-03-09
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-glitch003-vincent-credentials": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

Vincent - Brave Search for agents

Web and news search powered by Brave Search. Use this skill when users want to search the web, find news articles, or look up current information. Pay-per-call via Vincent credit system. Triggers on "search the web", "web search", "brave search", "search news", "find information", "look up", "current events".

glitch003 2387

Vincent - A wallet for agents

Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting.

glitch003 2387

Vincent - A wallet for agents

The agent's wallet for EVM chain transactions and raw signing. Use this skill when users want to create a wallet, transfer tokens, swap on DEXs, interact with smart contracts, or sign messages. Triggers on "wallet", "create wallet", "transfer ETH", "swap tokens", "send transaction", "check balance", "EVM wallet", "raw signer", "sign message".

glitch003 2387

Vincent - Trading Engine for agents

Strategy-driven automated trading for Polymarket. Use this skill when users want to create trading strategies, set stop-loss/take-profit/trailing stop rules, or manage automated trading. Triggers on "trading strategy", "stop loss", "take profit", "trailing stop", "automated trading", "trading engine", "trade rules", "strategy monitor".

glitch003 2387

Agent Wallet

The agent's wallet. Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction.

glitch003 2387