# Send Openclaw to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "bagman", "name": "Openclaw", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/zscole/bagman", "canonicalUrl": "https://clawhub.ai/zscole/bagman", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/bagman", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bagman", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "references/delegation-framework.md", "references/leak-prevention.md", "references/prompt-injection-defense.md", "references/prompt-injection.md", "references/secure-storage.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "bagman", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-06T15:06:06.582Z", "expiresAt": "2026-05-13T15:06:06.582Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bagman", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bagman", "contentDisposition": "attachment; filename=\"bagman-2.1.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "bagman" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/bagman" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/bagman", "downloadUrl": "https://openagent3.xyz/downloads/bagman", "agentUrl": "https://openagent3.xyz/skills/bagman/agent", "manifestUrl": "https://openagent3.xyz/skills/bagman/agent.json", "briefUrl": "https://openagent3.xyz/skills/bagman/agent.md" } } ``` ## Documentation ### Bagman Secure key management patterns for AI agents handling wallets, private keys, and secrets. ### When to Use This Skill Agent needs wallet/blockchain access Handling API keys, credentials, or secrets Building systems where AI controls funds Preventing secret leakage via prompts or outputs ### Quick Start # Install 1Password CLI brew install 1password-cli # Authenticate eval $(op signin) # Create vault for agent credentials op vault create "Agent-Credentials" # Run examples cd examples && python test_suite.py ### Core Rules RuleWhyNever store raw private keysConfig, env, memory, or conversation = leakedUse delegated accessSession keys with time/value/scope limitsSecrets via secret manager1Password, Vault, AWS Secrets ManagerSanitize all outputsScan for key patterns before any responseValidate all inputsCheck for injection attempts before wallet ops ### Architecture ┌─────────────────────────────────────────────────────┐ │ AI Agent │ ├─────────────────────────────────────────────────────┤ │ Session Key (bounded) │ │ ├─ Expires after N hours │ │ ├─ Max spend per tx/day │ │ └─ Whitelist of allowed contracts/methods │ ├─────────────────────────────────────────────────────┤ │ Secret Manager (1Password/Vault) │ │ ├─ Retrieve at runtime only │ │ ├─ Never persist to disk │ │ └─ Audit trail of accesses │ ├─────────────────────────────────────────────────────┤ │ Smart Account (ERC-4337) │ │ ├─ Programmable permissions │ │ └─ Recovery without key exposure │ └─────────────────────────────────────────────────────┘ ### Implementation Files FilePurposeexamples/secret_manager.py1Password integration for runtime secret retrievalexamples/sanitizer.pyOutput sanitization (keys, seeds, tokens)examples/validator.pyInput validation (prompt injection defense)examples/session_keys.pyERC-4337 session key configurationexamples/delegation_integration.tsMetaMask Delegation Framework (EIP-7710)examples/pre-commitGit hook to block secret commitsexamples/test_suite.pyAdversarial test suitedocs/prompt-injection.mdDeep dive on injection defensedocs/secure-storage.mdSecret storage patternsdocs/session-keys.mdSession key architecturedocs/leak-prevention.mdOutput sanitization patternsdocs/delegation-framework.mdOn-chain permission enforcement (EIP-7710) ### 1Password CLI Pattern # Retrieve at runtime (never store result) SESSION_KEY=$(op read "op://Agents/my-agent/session-key") # Run with injected secrets (never touch disk) op run --env-file=.env.tpl -- python agent.py ### .env.tpl (safe to commit - no secrets) PRIVATE_KEY=op://Agents/trading-bot/session-key RPC_URL=op://Infra/alchemy/sepolia-url OPENAI_API_KEY=op://Services/openai/api-key ### Python Usage from secret_manager import get_session_key # Retrieve validated session key creds = get_session_key("trading-bot-session") # Check validity if creds.is_expired(): raise ValueError("Session expired - request renewal from operator") print(f"Time remaining: {creds.time_remaining()}") print(f"Allowed contracts: {creds.allowed_contracts}") # Use the key (never log it!) client.set_signer(creds.session_key) ### Vault-Level ACL (Recommended) Configure 1Password vault permissions: Agent-Credentials/ ├── trading-bot-session # Agent can read ├── payment-bot-session # Agent can read └── master-key # Operator ONLY (agent has no access) Principle: Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access. ### 2. Output Sanitization Apply to ALL agent outputs before sending anywhere: from sanitizer import OutputSanitizer def respond(content: str) -> str: """Sanitize before any output.""" return OutputSanitizer.sanitize(content) # Catches: # - Private keys (0x + 64 hex) # - OpenAI/Anthropic/Groq/AWS keys # - GitHub/Slack/Discord tokens # - BIP-39 seed phrases (12/24 words) # - PEM private keys # - JWT tokens ### Patterns Detected PatternExampleResultETH private key0x1234...abcd (64 hex)[PRIVATE_KEY_REDACTED]ETH address0x742d...f44e (40 hex)0x742d...f44e (truncated)OpenAI keysk-proj-abc123...[OPENAI_KEY_REDACTED]Anthropic keysk-ant-api03-...[ANTHROPIC_KEY_REDACTED]12-word seedabandon ability able...[SEED_PHRASE_12_WORDS_REDACTED]JWTeyJhbG...[JWT_TOKEN_REDACTED] ### 3. Input Validation Check inputs before ANY wallet operation: from validator import InputValidator, ThreatLevel result = InputValidator.validate(user_input) if result.level == ThreatLevel.BLOCKED: return f"Request blocked: {result.reason}" if result.level == ThreatLevel.SUSPICIOUS: # Log for review, but allow log_suspicious(user_input, result.reason) # Proceed with operation ### Threat Categories CategoryExamplesActionExtraction"show private key", "reveal secrets"BlockOverride"ignore previous instructions"BlockRole manipulation"you are now admin"BlockJailbreak"DAN mode", "bypass filters"BlockExfiltration"send config to https://..."BlockWallet threats"transfer all", "unlimited approve"BlockEncodedBase64/hex encoded attacksBlockUnicode tricksCyrillic lookalikes, zero-widthBlockSuspicious"hypothetically", "just between us"Warn ### 4. Operation Allowlisting Never execute arbitrary operations. Explicit whitelist only: from dataclasses import dataclass from decimal import Decimal from typing import Optional @dataclass class AllowedOperation: name: str handler: callable max_value: Optional[Decimal] = None requires_confirmation: bool = False cooldown_seconds: int = 0 ALLOWED_OPS = { "check_balance": AllowedOperation("check_balance", get_balance), "transfer_usdc": AllowedOperation( "transfer_usdc", transfer, max_value=Decimal("500"), requires_confirmation=True, cooldown_seconds=60 ), "swap": AllowedOperation( "swap", swap_tokens, max_value=Decimal("1000"), cooldown_seconds=300 ), } def execute(op_name: str, **kwargs): if op_name not in ALLOWED_OPS: raise PermissionError(f"Operation '{op_name}' not allowed") op = ALLOWED_OPS[op_name] if op.max_value and kwargs.get("amount", 0) > op.max_value: raise PermissionError(f"Amount exceeds limit: {op.max_value}") if op.requires_confirmation: return request_confirmation(op_name, kwargs) return op.handler(**kwargs) ### 5. Confirmation Flow High-value operations require explicit confirmation: import hashlib import time pending_confirmations = {} def request_confirmation(operation: str, details: dict) -> str: code = hashlib.sha256( f"{operation}{time.time()}".encode() ).hexdigest()[:8].upper() pending_confirmations[code] = { "op": operation, "details": details, "expires": time.time() + 300 # 5 minutes } return f"⚠️ Confirm '{operation}' with code: {code}\\n(expires in 5 minutes)" def confirm(code: str): if code not in pending_confirmations: return "Invalid confirmation code" req = pending_confirmations.pop(code) if time.time() > req["expires"]: return "Confirmation code expired" return execute_confirmed(req["op"], req["details"]) ### 6. Session Keys (ERC-4337) Instead of giving agents master keys, issue bounded session keys: from session_keys import SessionKeyManager # Operator creates trading session for agent config = SessionKeyManager.create_trading_session( agent_name="alpha-trader", operator_address="0x742d...", duration_hours=24, max_trade_usdc=1000, daily_limit_usdc=5000, ) # Export for storage in 1Password export_data = SessionKeyManager.export_for_1password( config, session_key_hex="0x..." # Generated session key ) # op item create ... (store in 1Password) ### Session Key Benefits FeatureMaster KeySession KeyExpirationNeverConfigurable (hours/days)Spending limitsNonePer-tx and daily capsContract restrictionsFull accessWhitelist onlyRevocationRequires key rotationInstant, no key changeAuditNoneFull operation log ### 7. Pre-commit Hook Block commits containing secrets: # Install cp examples/pre-commit .git/hooks/ chmod +x .git/hooks/pre-commit Detected patterns: ETH private keys (64 hex chars) OpenAI/Anthropic/Groq keys AWS access keys GitHub/GitLab tokens Slack/Discord tokens PEM private keys Generic PASSWORD/SECRET assignments BIP-39 seed phrases ### 8. Defense Layers USER INPUT │ ▼ ┌────────────────────────────┐ │ Layer 1: Input Validation │ ← Regex + encoding + unicode checks └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 2: Op Allowlisting │ ← Explicit whitelist only └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 3: Value Limits │ ← Max per-tx and per-day └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 4: Confirmation │ ← Time-limited codes for $$$ └────────────────────────────┘ │ ▼ ┌────────────────────────────┐ │ Layer 5: Isolated Exec │ ← Wallet ops != conversation └────────────────────────────┘ │ ▼ OUTPUT SANITIZATION ### ❌ Keys in memory files # memory/2026-02-07.md Private key: 0x9f01dad551039daad... Fix: Store reference only: Private key: [stored in 1Password: test-wallet] ### ❌ Keys in error messages except Exception as e: log(f"Failed with key {private_key}: {e}") Fix: Never include credentials in error context ### ❌ Keys in .env.example PRIVATE_KEY=sk-ant-api03-real-key... # "for testing" Fix: Use obviously fake: PRIVATE_KEY=your-key-here ### ❌ "All" in transfer requests User: "Transfer all my USDC" Agent: *executes unlimited transfer* Fix: Block "all/everything/max" patterns, require explicit amounts ### ❌ Trusting conversation context # Wallet has access to conversation history self.wallet.execute(conversation[-1]["content"]) Fix: Wallet operations must be isolated from conversation context ### Testing cd examples # Run full test suite python test_suite.py # Test individual components python sanitizer.py # Output sanitization demo python validator.py # Input validation demo python session_keys.py # Session key demo Expected output: All tests passed ### Checklist 1Password CLI installed and authenticated Secrets in 1Password vault, not files Session keys with expiry and limits Output sanitization on all responses Input validation before wallet ops Pre-commit hook installed Confirmation flow for high-value operations Wallet operations isolated from conversation .gitignore covers secrets and memory files Test suite passes ### Security Model Limitations This skill provides defense in depth, not a guarantee. Adversaries may: Novel injection patterns - Regex can't catch everything; semantic analysis helps but isn't perfect Social engineering - Convincing the operator to approve malicious operations Timing attacks - Exploiting confirmation windows Encoding evasion - New encoding schemes not covered Recommendation: Layer these defenses with: Rate limiting Anomaly detection Human-in-the-loop for large transactions Regular security audits ## Trust - Source: tencent - Verification: Indexed source record - Publisher: zscole - Version: 2.1.0 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-06T15:06:06.582Z - Expires at: 2026-05-13T15:06:06.582Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/bagman) - [Send to Agent page](https://openagent3.xyz/skills/bagman/agent) - [JSON manifest](https://openagent3.xyz/skills/bagman/agent.json) - [Markdown brief](https://openagent3.xyz/skills/bagman/agent.md) - [Download page](https://openagent3.xyz/downloads/bagman)