{ "schemaVersion": "1.0", "item": { "slug": "passwordstore-broker", "name": "Passwordstore Broker", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/BieggerM/passwordstore-broker", "canonicalUrl": "https://clawhub.ai/BieggerM/passwordstore-broker", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/passwordstore-broker", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=passwordstore-broker", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "scripts/vault.sh", "scripts/setup_totp_enrollment.py", "scripts/get_password_from_user.py", "scripts/run_with_secret.sh", "references/SETUP.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/passwordstore-broker" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/passwordstore-broker", "agentPageUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent", "manifestUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.json", "briefUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Passwordstore Broker Agent Protocol", "body": "Run this workflow whenever credentials are needed." }, { "title": "Prerequisites", "body": "Follow references/SETUP.md before first use." }, { "title": "Setup Preflight", "body": "Before first LAN-mode intake, verify both files exist:\n\n~/.passwordstore-broker/totp.secret\n\n\n~/.passwordstore-broker/setup_completed_at.txt\n\n\nIf missing, run scripts/setup_totp_enrollment.py and send:\n\nQR image at qr_png_path (preferred)\nfallback otpauth_url\n\n\n\nRecord and trust setup_completed_at as the initial enrollment timestamp.\n\n\nNever reveal or retransmit the totp.secret value after initial enrollment under any circumstances.\n\n\nDo not rotate totp.secret. User has to do it manually if compromised. Rotation is not to be done by the agent." }, { "title": "Phase 1: Get Secrets", "body": "Goal: ensure required secrets exist in local vault without exposing values in chat.\n\nMap auth requirements to secret-name -> ENV_VAR.\nCheck whether each secret exists:\n\nscripts/vault.sh exists \n\n\nIf missing, collect via one-time HTTPS intake:\n\nLocal mode (default):\n\nscripts/get_password_from_user.py --secretname --port \n\n\nLAN mode (when user asks for phone/private-network flow):\n\nscripts/get_password_from_user.py --secretname --port --access lan\n\n\n\n\nSend generated intake URL to user.\nIn LAN mode, instruct user to submit both fields in the form:\n\nsecret value\ncurrent authenticator code\n\n\nIf intake fails or times out, retry with a new port.\n\nExit criteria:\n\nRequired secret paths exist in vault." }, { "title": "Phase 2: Use Secrets", "body": "Goal: execute authenticated commands without exposing secret values.\n\nPrefer injector wrapper:\n\nscripts/run_with_secret.sh --secret --env -- [args...]\n\n\nFallback one-liner:\n\n=\"$(scripts/vault.sh get )\" [args...]\n\n\nNever print env dumps (env, printenv, set) in secret-bearing runs.\n\nExit criteria:\n\nAuthenticated command succeeds without secret leakage." }, { "title": "Phase 3: Interact With Vault", "body": "Goal: manage lifecycle safely.\n\nPut/update: scripts/vault.sh put \nGet (only when necessary): scripts/vault.sh get \nExists: scripts/vault.sh exists \nList: scripts/vault.sh ls\nRemove: scripts/vault.sh rm \n\nNaming policy:\n\nUse stable scoped keys like github/token, openai/prod/api_key, aws/staging/access_key_id.\n\nRotation policy:\n\nDefault to replacing value under the same key.\nUse versioned keys only when user explicitly asks." }, { "title": "Non-Negotiable Guardrails", "body": "Never ask users to paste raw secrets into chat.\nNever echo secret values back to user.\nNever store secrets in repo files, commit messages, issue comments, or transcripts.\nNever expose intake over public interfaces or tunnels.\nLAN mode must rely on runtime private-network autodetection and webform TOTP validation." }, { "title": "Quick Runbook", "body": "Ensure TOTP enrollment exists (via setup preflight) before first LAN use.\nFor each missing secret, run intake in local or LAN mode based on user intent.\nExecute tools via run_with_secret.sh.\nRotate/remove secrets via vault.sh as requested." } ], "body": "Passwordstore Broker Agent Protocol\n\nRun this workflow whenever credentials are needed.\n\nPrerequisites\nFollow references/SETUP.md before first use.\nSetup Preflight\n\nBefore first LAN-mode intake, verify both files exist:\n\n~/.passwordstore-broker/totp.secret\n\n~/.passwordstore-broker/setup_completed_at.txt\n\nIf missing, run scripts/setup_totp_enrollment.py and send:\n\nQR image at qr_png_path (preferred)\nfallback otpauth_url\n\nRecord and trust setup_completed_at as the initial enrollment timestamp.\n\nNever reveal or retransmit the totp.secret value after initial enrollment under any circumstances.\n\nDo not rotate totp.secret. User has to do it manually if compromised. Rotation is not to be done by the agent.\n\nPhase 1: Get Secrets\n\nGoal: ensure required secrets exist in local vault without exposing values in chat.\n\nMap auth requirements to secret-name -> ENV_VAR.\nCheck whether each secret exists:\nscripts/vault.sh exists \nIf missing, collect via one-time HTTPS intake:\nLocal mode (default):\nscripts/get_password_from_user.py --secretname --port \nLAN mode (when user asks for phone/private-network flow):\nscripts/get_password_from_user.py --secretname --port --access lan\nSend generated intake URL to user.\nIn LAN mode, instruct user to submit both fields in the form:\nsecret value\ncurrent authenticator code\nIf intake fails or times out, retry with a new port.\n\nExit criteria:\n\nRequired secret paths exist in vault.\nPhase 2: Use Secrets\n\nGoal: execute authenticated commands without exposing secret values.\n\nPrefer injector wrapper:\nscripts/run_with_secret.sh --secret --env -- [args...]\nFallback one-liner:\n=\"$(scripts/vault.sh get )\" [args...]\nNever print env dumps (env, printenv, set) in secret-bearing runs.\n\nExit criteria:\n\nAuthenticated command succeeds without secret leakage.\nPhase 3: Interact With Vault\n\nGoal: manage lifecycle safely.\n\nPut/update: scripts/vault.sh put \nGet (only when necessary): scripts/vault.sh get \nExists: scripts/vault.sh exists \nList: scripts/vault.sh ls\nRemove: scripts/vault.sh rm \n\nNaming policy:\n\nUse stable scoped keys like github/token, openai/prod/api_key, aws/staging/access_key_id.\n\nRotation policy:\n\nDefault to replacing value under the same key.\nUse versioned keys only when user explicitly asks.\nNon-Negotiable Guardrails\nNever ask users to paste raw secrets into chat.\nNever echo secret values back to user.\nNever store secrets in repo files, commit messages, issue comments, or transcripts.\nNever expose intake over public interfaces or tunnels.\nLAN mode must rely on runtime private-network autodetection and webform TOTP validation.\nQuick Runbook\nEnsure TOTP enrollment exists (via setup preflight) before first LAN use.\nFor each missing secret, run intake in local or LAN mode based on user intent.\nExecute tools via run_with_secret.sh.\nRotate/remove secrets via vault.sh as requested." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/BieggerM/passwordstore-broker", "publisherUrl": "https://clawhub.ai/BieggerM/passwordstore-broker", "owner": "BieggerM", "version": "1.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/passwordstore-broker", "downloadUrl": "https://openagent3.xyz/downloads/passwordstore-broker", "agentUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent", "manifestUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.json", "briefUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.md" } }