Tencent SkillHub · Developer Tools

Openclaw

Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: SKILL.md, references/delegation-framework.md, references/leak-prevention.md, references/prompt-injection-defense.md, references/prompt-injection.md, references/secure-storage.md

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 2.1.0

Provenance

Publisher: zscole
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 28 sections Open source page

Bagman

Secure key management patterns for AI agents handling wallets, private keys, and secrets.

When to Use This Skill

Agent needs wallet/blockchain access Handling API keys, credentials, or secrets Building systems where AI controls funds Preventing secret leakage via prompts or outputs

Quick Start

# Install 1Password CLI brew install 1password-cli # Authenticate eval $(op signin) # Create vault for agent credentials op vault create "Agent-Credentials" # Run examples cd examples && python test_suite.py

Core Rules

RuleWhyNever store raw private keysConfig, env, memory, or conversation = leakedUse delegated accessSession keys with time/value/scope limitsSecrets via secret manager1Password, Vault, AWS Secrets ManagerSanitize all outputsScan for key patterns before any responseValidate all inputsCheck for injection attempts before wallet ops

Architecture

┌─────────────────────────────────────────────────────┐ │ AI Agent │ ├─────────────────────────────────────────────────────┤ │ Session Key (bounded) │ │ ├─ Expires after N hours │ │ ├─ Max spend per tx/day │ │ └─ Whitelist of allowed contracts/methods │ ├─────────────────────────────────────────────────────┤ │ Secret Manager (1Password/Vault) │ │ ├─ Retrieve at runtime only │ │ ├─ Never persist to disk │ │ └─ Audit trail of accesses │ ├─────────────────────────────────────────────────────┤ │ Smart Account (ERC-4337) │ │ ├─ Programmable permissions │ │ └─ Recovery without key exposure │ └─────────────────────────────────────────────────────┘

Implementation Files

FilePurposeexamples/secret_manager.py1Password integration for runtime secret retrievalexamples/sanitizer.pyOutput sanitization (keys, seeds, tokens)examples/validator.pyInput validation (prompt injection defense)examples/session_keys.pyERC-4337 session key configurationexamples/delegation_integration.tsMetaMask Delegation Framework (EIP-7710)examples/pre-commitGit hook to block secret commitsexamples/test_suite.pyAdversarial test suitedocs/prompt-injection.mdDeep dive on injection defensedocs/secure-storage.mdSecret storage patternsdocs/session-keys.mdSession key architecturedocs/leak-prevention.mdOutput sanitization patternsdocs/delegation-framework.mdOn-chain permission enforcement (EIP-7710)

1Password CLI Pattern

# Retrieve at runtime (never store result) SESSION_KEY=$(op read "op://Agents/my-agent/session-key") # Run with injected secrets (never touch disk) op run --env-file=.env.tpl -- python agent.py

.env.tpl (safe to commit - no secrets)

PRIVATE_KEY=op://Agents/trading-bot/session-key RPC_URL=op://Infra/alchemy/sepolia-url OPENAI_API_KEY=op://Services/openai/api-key

Python Usage

from secret_manager import get_session_key # Retrieve validated session key creds = get_session_key("trading-bot-session") # Check validity if creds.is_expired(): raise ValueError("Session expired - request renewal from operator") print(f"Time remaining: {creds.time_remaining()}") print(f"Allowed contracts: {creds.allowed_contracts}") # Use the key (never log it!) client.set_signer(creds.session_key)

Vault-Level ACL (Recommended)

Configure 1Password vault permissions: Agent-Credentials/ ├── trading-bot-session # Agent can read ├── payment-bot-session # Agent can read └── master-key # Operator ONLY (agent has no access) Principle: Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access.

2. Output Sanitization

Apply to ALL agent outputs before sending anywhere: from sanitizer import OutputSanitizer def respond(content: str) -> str: """Sanitize before any output.""" return OutputSanitizer.sanitize(content) # Catches: # - Private keys (0x + 64 hex) # - OpenAI/Anthropic/Groq/AWS keys # - GitHub/Slack/Discord tokens # - BIP-39 seed phrases (12/24 words) # - PEM private keys # - JWT tokens

Patterns Detected

PatternExampleResultETH private key0x1234...abcd (64 hex)[PRIVATE_KEY_REDACTED]ETH address0x742d...f44e (40 hex)0x742d...f44e (truncated)OpenAI keysk-proj-abc123...[OPENAI_KEY_REDACTED]Anthropic keysk-ant-api03-...[ANTHROPIC_KEY_REDACTED]12-word seedabandon ability able...[SEED_PHRASE_12_WORDS_REDACTED]JWTeyJhbG...[JWT_TOKEN_REDACTED]

3. Input Validation

Check inputs before ANY wallet operation: from validator import InputValidator, ThreatLevel result = InputValidator.validate(user_input) if result.level == ThreatLevel.BLOCKED: return f"Request blocked: {result.reason}" if result.level == ThreatLevel.SUSPICIOUS: # Log for review, but allow log_suspicious(user_input, result.reason) # Proceed with operation

Threat Categories

CategoryExamplesActionExtraction"show private key", "reveal secrets"BlockOverride"ignore previous instructions"BlockRole manipulation"you are now admin"BlockJailbreak"DAN mode", "bypass filters"BlockExfiltration"send config to https://..."BlockWallet threats"transfer all", "unlimited approve"BlockEncodedBase64/hex encoded attacksBlockUnicode tricksCyrillic lookalikes, zero-widthBlockSuspicious"hypothetically", "just between us"Warn

4. Operation Allowlisting

Never execute arbitrary operations. Explicit whitelist only: from dataclasses import dataclass from decimal import Decimal from typing import Optional @dataclass class AllowedOperation: name: str handler: callable max_value: Optional[Decimal] = None requires_confirmation: bool = False cooldown_seconds: int = 0 ALLOWED_OPS = { "check_balance": AllowedOperation("check_balance", get_balance), "transfer_usdc": AllowedOperation( "transfer_usdc", transfer, max_value=Decimal("500"), requires_confirmation=True, cooldown_seconds=60 ), "swap": AllowedOperation( "swap", swap_tokens, max_value=Decimal("1000"), cooldown_seconds=300 ), } def execute(op_name: str, **kwargs): if op_name not in ALLOWED_OPS: raise PermissionError(f"Operation '{op_name}' not allowed") op = ALLOWED_OPS[op_name] if op.max_value and kwargs.get("amount", 0) > op.max_value: raise PermissionError(f"Amount exceeds limit: {op.max_value}") if op.requires_confirmation: return request_confirmation(op_name, kwargs) return op.handler(**kwargs)

5. Confirmation Flow

High-value operations require explicit confirmation: import hashlib import time pending_confirmations = {} def request_confirmation(operation: str, details: dict) -> str: code = hashlib.sha256( f"{operation}{time.time()}".encode() ).hexdigest()[:8].upper() pending_confirmations[code] = { "op": operation, "details": details, "expires": time.time() + 300 # 5 minutes } return f"⚠️ Confirm '{operation}' with code: {code}\n(expires in 5 minutes)" def confirm(code: str): if code not in pending_confirmations: return "Invalid confirmation code" req = pending_confirmations.pop(code) if time.time() > req["expires"]: return "Confirmation code expired" return execute_confirmed(req["op"], req["details"])

6. Session Keys (ERC-4337)

Instead of giving agents master keys, issue bounded session keys: from session_keys import SessionKeyManager # Operator creates trading session for agent config = SessionKeyManager.create_trading_session( agent_name="alpha-trader", operator_address="0x742d...", duration_hours=24, max_trade_usdc=1000, daily_limit_usdc=5000, ) # Export for storage in 1Password export_data = SessionKeyManager.export_for_1password( config, session_key_hex="0x..." # Generated session key ) # op item create ... (store in 1Password)

Session Key Benefits

FeatureMaster KeySession KeyExpirationNeverConfigurable (hours/days)Spending limitsNonePer-tx and daily capsContract restrictionsFull accessWhitelist onlyRevocationRequires key rotationInstant, no key changeAuditNoneFull operation log

7. Pre-commit Hook

Block commits containing secrets: # Install cp examples/pre-commit .git/hooks/ chmod +x .git/hooks/pre-commit Detected patterns: ETH private keys (64 hex chars) OpenAI/Anthropic/Groq keys AWS access keys GitHub/GitLab tokens Slack/Discord tokens PEM private keys Generic PASSWORD/SECRET assignments BIP-39 seed phrases

8. Defense Layers

USER INPUT │ ▼ ┌────────────────────────────┐ │ Layer 1: Input Validation │ ← Regex + encoding + unicode checks └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 2: Op Allowlisting │ ← Explicit whitelist only └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 3: Value Limits │ ← Max per-tx and per-day └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 4: Confirmation │ ← Time-limited codes for $$$ └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 5: Isolated Exec │ ← Wallet ops != conversation └────────────────────────────┘ │ ▼ OUTPUT SANITIZATION

❌ Keys in memory files

# memory/2026-02-07.md Private key: 0x9f01dad551039daad... Fix: Store reference only: Private key: [stored in 1Password: test-wallet]

❌ Keys in error messages

except Exception as e: log(f"Failed with key {private_key}: {e}") Fix: Never include credentials in error context

❌ Keys in .env.example

PRIVATE_KEY=sk-ant-api03-real-key... # "for testing" Fix: Use obviously fake: PRIVATE_KEY=your-key-here

❌ "All" in transfer requests

User: "Transfer all my USDC" Agent: *executes unlimited transfer* Fix: Block "all/everything/max" patterns, require explicit amounts

❌ Trusting conversation context

# Wallet has access to conversation history self.wallet.execute(conversation[-1]["content"]) Fix: Wallet operations must be isolated from conversation context

Testing

cd examples # Run full test suite python test_suite.py # Test individual components python sanitizer.py # Output sanitization demo python validator.py # Input validation demo python session_keys.py # Session key demo Expected output: All tests passed

Checklist

1Password CLI installed and authenticated Secrets in 1Password vault, not files Session keys with expiry and limits Output sanitization on all responses Input validation before wallet ops Pre-commit hook installed Confirmation flow for high-value operations Wallet operations isolated from conversation .gitignore covers secrets and memory files Test suite passes

Security Model Limitations

This skill provides defense in depth, not a guarantee. Adversaries may: Novel injection patterns - Regex can't catch everything; semantic analysis helps but isn't perfect Social engineering - Convincing the operator to approve malicious operations Timing attacks - Exploiting confirmation windows Encoding evasion - New encoding schemes not covered Recommendation: Layer these defenses with: Rate limiting Anomaly detection Human-in-the-loop for large transactions Regular security audits

Category context

Code helpers, APIs, CLIs, browser automation, testing, and developer operations.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

6 Docs

SKILL.md Primary doc
references/delegation-framework.md Docs
references/leak-prevention.md Docs
references/prompt-injection-defense.md Docs
references/prompt-injection.md Docs
references/secure-storage.md Docs