{ "schemaVersion": "1.0", "item": { "slug": "secret-safe", "name": "Secret's Safe", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/brycexbt/secret-safe", "canonicalUrl": "https://clawhub.ai/brycexbt/secret-safe", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/secret-safe", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secret-safe", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/audit-checklist.md", "references/env-injection-examples.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/secret-safe" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/secret-safe", "agentPageUrl": "https://openagent3.xyz/skills/secret-safe/agent", "manifestUrl": "https://openagent3.xyz/skills/secret-safe/agent.json", "briefUrl": "https://openagent3.xyz/skills/secret-safe/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Secret-Safe: Secure Credential Handling for Agent Skills", "body": "Why this skill exists: Snyk researchers found that 7.1% of all ClawHub skills\ninstruct agents to handle API keys through the LLM context — making every secret\nan active exfiltration channel. This skill teaches the correct pattern." }, { "title": "The Core Rule", "body": "A secret must never appear in:\n\nThe LLM prompt or system context\nClaude's response or reasoning\nLogs, session exports, or .jsonl history files\nFile artifacts created by the agent\nError messages echoed back to the user\n\nA secret must only flow through:\n\nprocess.env (injected by OpenClaw before the agent turn)\nThe shell environment of a subprocess the agent spawns\nA secrets manager CLI (read at subprocess level, not piped back into context)" }, { "title": "Pattern 1: Environment Injection (Preferred)", "body": "This is OpenClaw's native, secure path. Use it for any skill that needs an API key." }, { "title": "In SKILL.md frontmatter", "body": "---\nname: my-service-skill\ndescription: Interact with MyService API.\nmetadata: {\"openclaw\": {\"requires\": {\"env\": [\"MY_SERVICE_API_KEY\"]}, \"primaryEnv\": \"MY_SERVICE_API_KEY\"}}\n---\n\nThe requires.env gate ensures the skill will not load if the key isn't present — no silent failures, no prompting the user to paste a key mid-conversation.\n\nThe primaryEnv field links to skills.entries..apiKey in openclaw.json, so the user configures it once in their config file, never in chat." }, { "title": "In skill instructions", "body": "## Authentication\nThe API key is available as `$MY_SERVICE_API_KEY` in the shell environment.\nPass it to CLI tools or curl as an environment variable — never echo it or\ninclude it in any output returned to the user." }, { "title": "Example safe curl invocation (instruct the agent to do this)", "body": "# CORRECT — key stays in environment, never in command string visible to LLM\nMY_SERVICE_API_KEY=\"$MY_SERVICE_API_KEY\" curl -s \\\n -H \"Authorization: Bearer $MY_SERVICE_API_KEY\" \\\n https://api.myservice.com/v1/data\n\nNever instruct the agent to do this:\n\n# WRONG — key is visible in LLM context, command history, and logs\ncurl -H \"Authorization: Bearer sk-abc123realkeyhere\" https://api.myservice.com/" }, { "title": "Pattern 2: Secrets Manager Integration", "body": "For production setups or team environments, read secrets from a manager at subprocess level." }, { "title": "Supported managers", "body": "ManagerCLIEnv var patternmacOS Keychainsecurity find-generic-password -wN/A1Password CLIop read op://vault/item/fieldOP_SERVICE_ACCOUNT_TOKENDopplerdoppler run --DOPPLER_TOKENHashiCorp Vaultvault kv get -field=valueVAULT_TOKENBitwarden CLIbw get password item-nameBW_SESSION" }, { "title": "Safe shell wrapper pattern", "body": "Create a scripts/run-with-secret.sh in your skill:\n\n#!/usr/bin/env bash\n# Fetches the secret at subprocess level — never echoes to stdout\nSECRET=$(security find-generic-password -s \"my-service-api-key\" -w 2>/dev/null)\nif [ -z \"$SECRET\" ]; then\n echo \"ERROR: Secret 'my-service-api-key' not found in keychain.\" >&2\n exit 1\nfi\nexport MY_SERVICE_API_KEY=\"$SECRET\"\nexec \"$@\"\n\nThe agent runs bash {baseDir}/scripts/run-with-secret.sh — the secret is fetched and injected entirely outside the LLM's view." }, { "title": "Pattern 3: User Setup Flow (first-run)", "body": "If the user hasn't configured a key yet, guide them through setup without asking for the key in chat." }, { "title": "Correct setup prompt to give the user:", "body": "To use this skill, add your API key to ~/.openclaw/openclaw.json:\n\n skills:\n entries:\n my-service:\n apiKey: \"your-key-here\"\n\nOr set it as an environment variable before starting OpenClaw:\n export MY_SERVICE_API_KEY=\"your-key-here\"\n\nDo NOT paste your key into this chat — it will be logged." }, { "title": "Incorrect (never do this):", "body": "Please share your API key so I can help you set it up." }, { "title": "Auditing Another Skill for Leaks", "body": "When asked to review a SKILL.md for credential safety, check for these patterns:" }, { "title": "🔴 Critical — Must Fix", "body": "PatternWhy it's dangerousInstruction to paste key into chatKey goes into LLM context + session logsecho $API_KEY or print(api_key) in instructionsOutput captured in contextKey interpolated into a string returned to userExposed in response artifactcat ~/.env or reading raw env filesEntire env dumped into contextKey stored in a file the agent createsCreates a static credential artifactInstructions tell agent to \"remember\" the keyKey persists across context window" }, { "title": "🟡 Warning — Should Fix", "body": "PatternRiskNo requires.env gate in frontmatterSkill silently fails or user is promptedLogging command output without filteringMay capture keys in error messagesUsing set -x in shell scriptsEchoes all commands including key valuesPassing key as a positional argumentVisible in ps aux on the host" }, { "title": "🟢 Safe Patterns", "body": "requires.env in frontmatter\nKey accessed only as $ENV_VAR in shell, never echoed\nSubprocess scripts that fetch and inject without returning to context\nError messages that say \"key not found\" without printing the value\nOutput filtered through sed/grep before returning to agent" }, { "title": "Self-Check Before Publishing a Skill", "body": "Run through this checklist before putting any skill on ClawHub:\n\nDoes the skill ever ask the user to paste a secret into the conversation?\n Does the skill ever echo, print, log, or return a secret value?\n Does the skill read a .env file and dump its contents?\n Does the skill store a secret in a file artifact?\n Are all API key references gated with requires.env in frontmatter?\n Do error messages avoid reflecting credential values?\n Does any shell script use set -x (which would expose key values)?\n Would running clawhub audit {skill-name} pass?\n\nIf any box is unchecked, do not publish until fixed." }, { "title": "Quick Reference: Safe vs Unsafe Patterns", "body": "# UNSAFE — never write instructions like these:\n\"Ask the user for their OpenAI API key and use it to call the API.\"\n\"Set the Authorization header to Bearer {user_api_key}.\"\n\"Store the API key in a variable and use it throughout the session.\"\n\n# SAFE — write instructions like these:\n\"The API key is injected as $OPENAI_API_KEY via environment — use it directly.\"\n\"Run: OPENAI_API_KEY=$OPENAI_API_KEY curl ...\"\n\"If $OPENAI_API_KEY is not set, print an error and exit — do not ask the user.\"" }, { "title": "Reference Files", "body": "references/env-injection-examples.md — Full worked examples for popular APIs (OpenAI, Anthropic, GitHub, Stripe, Slack)\nreferences/audit-checklist.md — Printable audit checklist for skill authors and reviewers" } ], "body": "Secret-Safe: Secure Credential Handling for Agent Skills\n\nWhy this skill exists: Snyk researchers found that 7.1% of all ClawHub skills instruct agents to handle API keys through the LLM context — making every secret an active exfiltration channel. This skill teaches the correct pattern.\n\nThe Core Rule\n\nA secret must never appear in:\n\nThe LLM prompt or system context\nClaude's response or reasoning\nLogs, session exports, or .jsonl history files\nFile artifacts created by the agent\nError messages echoed back to the user\n\nA secret must only flow through:\n\nprocess.env (injected by OpenClaw before the agent turn)\nThe shell environment of a subprocess the agent spawns\nA secrets manager CLI (read at subprocess level, not piped back into context)\nPattern 1: Environment Injection (Preferred)\n\nThis is OpenClaw's native, secure path. Use it for any skill that needs an API key.\n\nIn SKILL.md frontmatter\n---\nname: my-service-skill\ndescription: Interact with MyService API.\nmetadata: {\"openclaw\": {\"requires\": {\"env\": [\"MY_SERVICE_API_KEY\"]}, \"primaryEnv\": \"MY_SERVICE_API_KEY\"}}\n---\n\n\nThe requires.env gate ensures the skill will not load if the key isn't present — no silent failures, no prompting the user to paste a key mid-conversation.\n\nThe primaryEnv field links to skills.entries..apiKey in openclaw.json, so the user configures it once in their config file, never in chat.\n\nIn skill instructions\n## Authentication\nThe API key is available as `$MY_SERVICE_API_KEY` in the shell environment.\nPass it to CLI tools or curl as an environment variable — never echo it or\ninclude it in any output returned to the user.\n\nExample safe curl invocation (instruct the agent to do this)\n# CORRECT — key stays in environment, never in command string visible to LLM\nMY_SERVICE_API_KEY=\"$MY_SERVICE_API_KEY\" curl -s \\\n -H \"Authorization: Bearer $MY_SERVICE_API_KEY\" \\\n https://api.myservice.com/v1/data\n\n\nNever instruct the agent to do this:\n\n# WRONG — key is visible in LLM context, command history, and logs\ncurl -H \"Authorization: Bearer sk-abc123realkeyhere\" https://api.myservice.com/\n\nPattern 2: Secrets Manager Integration\n\nFor production setups or team environments, read secrets from a manager at subprocess level.\n\nSupported managers\nManager\tCLI\tEnv var pattern\nmacOS Keychain\tsecurity find-generic-password -w\tN/A\n1Password CLI\top read op://vault/item/field\tOP_SERVICE_ACCOUNT_TOKEN\nDoppler\tdoppler run --\tDOPPLER_TOKEN\nHashiCorp Vault\tvault kv get -field=value\tVAULT_TOKEN\nBitwarden CLI\tbw get password item-name\tBW_SESSION\nSafe shell wrapper pattern\n\nCreate a scripts/run-with-secret.sh in your skill:\n\n#!/usr/bin/env bash\n# Fetches the secret at subprocess level — never echoes to stdout\nSECRET=$(security find-generic-password -s \"my-service-api-key\" -w 2>/dev/null)\nif [ -z \"$SECRET\" ]; then\n echo \"ERROR: Secret 'my-service-api-key' not found in keychain.\" >&2\n exit 1\nfi\nexport MY_SERVICE_API_KEY=\"$SECRET\"\nexec \"$@\"\n\n\nThe agent runs bash {baseDir}/scripts/run-with-secret.sh — the secret is fetched and injected entirely outside the LLM's view.\n\nPattern 3: User Setup Flow (first-run)\n\nIf the user hasn't configured a key yet, guide them through setup without asking for the key in chat.\n\nCorrect setup prompt to give the user:\nTo use this skill, add your API key to ~/.openclaw/openclaw.json:\n\n skills:\n entries:\n my-service:\n apiKey: \"your-key-here\"\n\nOr set it as an environment variable before starting OpenClaw:\n export MY_SERVICE_API_KEY=\"your-key-here\"\n\nDo NOT paste your key into this chat — it will be logged.\n\nIncorrect (never do this):\nPlease share your API key so I can help you set it up.\n\nAuditing Another Skill for Leaks\n\nWhen asked to review a SKILL.md for credential safety, check for these patterns:\n\n🔴 Critical — Must Fix\nPattern\tWhy it's dangerous\nInstruction to paste key into chat\tKey goes into LLM context + session logs\necho $API_KEY or print(api_key) in instructions\tOutput captured in context\nKey interpolated into a string returned to user\tExposed in response artifact\ncat ~/.env or reading raw env files\tEntire env dumped into context\nKey stored in a file the agent creates\tCreates a static credential artifact\nInstructions tell agent to \"remember\" the key\tKey persists across context window\n🟡 Warning — Should Fix\nPattern\tRisk\nNo requires.env gate in frontmatter\tSkill silently fails or user is prompted\nLogging command output without filtering\tMay capture keys in error messages\nUsing set -x in shell scripts\tEchoes all commands including key values\nPassing key as a positional argument\tVisible in ps aux on the host\n🟢 Safe Patterns\nrequires.env in frontmatter\nKey accessed only as $ENV_VAR in shell, never echoed\nSubprocess scripts that fetch and inject without returning to context\nError messages that say \"key not found\" without printing the value\nOutput filtered through sed/grep before returning to agent\nSelf-Check Before Publishing a Skill\n\nRun through this checklist before putting any skill on ClawHub:\n\n Does the skill ever ask the user to paste a secret into the conversation?\n Does the skill ever echo, print, log, or return a secret value?\n Does the skill read a .env file and dump its contents?\n Does the skill store a secret in a file artifact?\n Are all API key references gated with requires.env in frontmatter?\n Do error messages avoid reflecting credential values?\n Does any shell script use set -x (which would expose key values)?\n Would running clawhub audit {skill-name} pass?\n\nIf any box is unchecked, do not publish until fixed.\n\nQuick Reference: Safe vs Unsafe Patterns\n# UNSAFE — never write instructions like these:\n\"Ask the user for their OpenAI API key and use it to call the API.\"\n\"Set the Authorization header to Bearer {user_api_key}.\"\n\"Store the API key in a variable and use it throughout the session.\"\n\n# SAFE — write instructions like these:\n\"The API key is injected as $OPENAI_API_KEY via environment — use it directly.\"\n\"Run: OPENAI_API_KEY=$OPENAI_API_KEY curl ...\"\n\"If $OPENAI_API_KEY is not set, print an error and exit — do not ask the user.\"\n\nReference Files\nreferences/env-injection-examples.md — Full worked examples for popular APIs (OpenAI, Anthropic, GitHub, Stripe, Slack)\nreferences/audit-checklist.md — Printable audit checklist for skill authors and reviewers" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/brycexbt/secret-safe", "publisherUrl": "https://clawhub.ai/brycexbt/secret-safe", "owner": "brycexbt", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/secret-safe", "downloadUrl": "https://openagent3.xyz/downloads/secret-safe", "agentUrl": "https://openagent3.xyz/skills/secret-safe/agent", "manifestUrl": "https://openagent3.xyz/skills/secret-safe/agent.json", "briefUrl": "https://openagent3.xyz/skills/secret-safe/agent.md" } }