2.5k
GitHub Stars
5
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill 1claw- _meta.json1.5 KB
- CONFIG.md4.4 KB
- EXAMPLES.md6.7 KB
- README.md1.3 KB
- SKILL.md53.7 KB
Overview
This skill provides HSM-backed secret management via the 1Claw vault so AI agents can store, retrieve, rotate, and share credentials without exposing them in conversation context. It integrates with a 1Claw agent identity and enforces access policies so secrets are accessed just-in-time and never leaked. Use it to handle API keys, passwords, certificates, env bundles, and other sensitive items securely.
How this skill works
The skill talks to the 1Claw API or MCP server using an agent token and vault ID. It lists secret metadata, fetches decrypted values only at runtime, writes new versions, and supports vault and access management. Sharing and rotation features let agents provision and revoke secrets while the HSM ensures encryption-at-rest and controlled access.
When to use it
- You need an API key, password, or credential to complete a task
- You want to securely store a newly generated credential
- You need to rotate a credential after regeneration
- You must share a secret with a human collaborator by email
- You want to audit or discover what secrets are available before using one
Best practices
- Fetch secrets just-in-time with get_secret immediately before use
- Never echo or log raw secret values in responses or summaries
- Use describe_secret to check existence, version, or expiry before fetching values
- Use list_secrets to discover available paths and avoid guessing
- Call rotate_and_store immediately after regenerating a provider credential
- Share secrets by email when a human needs short-term access and track expiry
Example use cases
- Agent fetches a production API key right before making a billing API call without exposing the key in chat
- Store a newly generated database password and create a new version for safe rotation
- Rotate Stripe or cloud API keys after regeneration and update stored versions atomically
- Share a deployment certificate with a contractor via email share_secret that expires after a set time
- Load an env_bundle for production configuration and parse it into runtime variables
FAQ
Always call get_secret just before the API call and never paste or summarize secret values. State that you retrieved and used the credential instead of showing it.
What if the agent lacks permission to the vault?
You will get a 403. Grant the agent access with grant_access or adjust the vault policy so the agent has the needed permissions.
How do I handle expired or exhausted shares?
A 410 means the share expired or exceeded max access. Create a new secret version or re-share with updated expiry and access limits.