# Send Passwordstore Broker to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "passwordstore-broker",
    "name": "Passwordstore Broker",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/BieggerM/passwordstore-broker",
    "canonicalUrl": "https://clawhub.ai/BieggerM/passwordstore-broker",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/passwordstore-broker",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=passwordstore-broker",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md",
      "scripts/vault.sh",
      "scripts/setup_totp_enrollment.py",
      "scripts/get_password_from_user.py",
      "scripts/run_with_secret.sh",
      "references/SETUP.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/passwordstore-broker"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/passwordstore-broker",
    "downloadUrl": "https://openagent3.xyz/downloads/passwordstore-broker",
    "agentUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent",
    "manifestUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/passwordstore-broker/agent.md"
  }
}
```
## Documentation

### Passwordstore Broker Agent Protocol

Run this workflow whenever credentials are needed.

### Prerequisites

Follow references/SETUP.md before first use.

### Setup Preflight

Before first LAN-mode intake, verify both files exist:

~/.passwordstore-broker/totp.secret


~/.passwordstore-broker/setup_completed_at.txt


If missing, run scripts/setup_totp_enrollment.py and send:

QR image at qr_png_path (preferred)
fallback otpauth_url



Record and trust setup_completed_at as the initial enrollment timestamp.


Never reveal or retransmit the totp.secret value after initial enrollment under any circumstances.


Do not rotate totp.secret. User has to do it manually if compromised. Rotation is not to be done by the agent.

### Phase 1: Get Secrets

Goal: ensure required secrets exist in local vault without exposing values in chat.

Map auth requirements to secret-name -> ENV_VAR.
Check whether each secret exists:

scripts/vault.sh exists <secret-name>


If missing, collect via one-time HTTPS intake:

Local mode (default):

scripts/get_password_from_user.py --secretname <secret-name> --port <port>


LAN mode (when user asks for phone/private-network flow):

scripts/get_password_from_user.py --secretname <secret-name> --port <port> --access lan




Send generated intake URL to user.
In LAN mode, instruct user to submit both fields in the form:

secret value
current authenticator code


If intake fails or times out, retry with a new port.

Exit criteria:

Required secret paths exist in vault.

### Phase 2: Use Secrets

Goal: execute authenticated commands without exposing secret values.

Prefer injector wrapper:

scripts/run_with_secret.sh --secret <secret-name> --env <ENV_VAR> -- <command> [args...]


Fallback one-liner:

<ENV_VAR>="$(scripts/vault.sh get <secret-name>)" <command> [args...]


Never print env dumps (env, printenv, set) in secret-bearing runs.

Exit criteria:

Authenticated command succeeds without secret leakage.

### Phase 3: Interact With Vault

Goal: manage lifecycle safely.

Put/update: scripts/vault.sh put <secret-name>
Get (only when necessary): scripts/vault.sh get <secret-name>
Exists: scripts/vault.sh exists <secret-name>
List: scripts/vault.sh ls
Remove: scripts/vault.sh rm <secret-name>

Naming policy:

Use stable scoped keys like github/token, openai/prod/api_key, aws/staging/access_key_id.

Rotation policy:

Default to replacing value under the same key.
Use versioned keys only when user explicitly asks.

### Non-Negotiable Guardrails

Never ask users to paste raw secrets into chat.
Never echo secret values back to user.
Never store secrets in repo files, commit messages, issue comments, or transcripts.
Never expose intake over public interfaces or tunnels.
LAN mode must rely on runtime private-network autodetection and webform TOTP validation.

### Quick Runbook

Ensure TOTP enrollment exists (via setup preflight) before first LAN use.
For each missing secret, run intake in local or LAN mode based on user intent.
Execute tools via run_with_secret.sh.
Rotate/remove secrets via vault.sh as requested.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: BieggerM
- Version: 1.1.1
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/passwordstore-broker)
- [Send to Agent page](https://openagent3.xyz/skills/passwordstore-broker/agent)
- [JSON manifest](https://openagent3.xyz/skills/passwordstore-broker/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/passwordstore-broker/agent.md)
- [Download page](https://openagent3.xyz/downloads/passwordstore-broker)