1claw_skill

This skill securely stores, retrieves, and rotates secrets via the 1Claw vault, enabling AI agents to access credentials without exposing them in context.
  • Python

2.5k

GitHub Stars

5

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill 1claw

  • _meta.json1.5 KB
  • CONFIG.md4.4 KB
  • EXAMPLES.md6.7 KB
  • README.md1.3 KB
  • SKILL.md53.7 KB

Overview

This skill provides HSM-backed secret management via the 1Claw vault so AI agents can store, retrieve, rotate, and share credentials without exposing them in conversation context. It integrates with a 1Claw agent identity and enforces access policies so secrets are accessed just-in-time and never leaked. Use it to handle API keys, passwords, certificates, env bundles, and other sensitive items securely.

How this skill works

The skill talks to the 1Claw API or MCP server using an agent token and vault ID. It lists secret metadata, fetches decrypted values only at runtime, writes new versions, and supports vault and access management. Sharing and rotation features let agents provision and revoke secrets while the HSM ensures encryption-at-rest and controlled access.

When to use it

  • You need an API key, password, or credential to complete a task
  • You want to securely store a newly generated credential
  • You need to rotate a credential after regeneration
  • You must share a secret with a human collaborator by email
  • You want to audit or discover what secrets are available before using one

Best practices

  • Fetch secrets just-in-time with get_secret immediately before use
  • Never echo or log raw secret values in responses or summaries
  • Use describe_secret to check existence, version, or expiry before fetching values
  • Use list_secrets to discover available paths and avoid guessing
  • Call rotate_and_store immediately after regenerating a provider credential
  • Share secrets by email when a human needs short-term access and track expiry

Example use cases

  • Agent fetches a production API key right before making a billing API call without exposing the key in chat
  • Store a newly generated database password and create a new version for safe rotation
  • Rotate Stripe or cloud API keys after regeneration and update stored versions atomically
  • Share a deployment certificate with a contractor via email share_secret that expires after a set time
  • Load an env_bundle for production configuration and parse it into runtime variables

FAQ

Always call get_secret just before the API call and never paste or summarize secret values. State that you retrieved and used the credential instead of showing it.

What if the agent lacks permission to the vault?

You will get a 403. Grant the agent access with grant_access or adjust the vault policy so the agent has the needed permissions.

How do I handle expired or exhausted shares?

A 410 means the share expired or exceeded max access. Create a new secret version or re-share with updated expiry and access limits.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational