Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Developer Tools
Secrets Management
Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.
skill openclawclawhub Free
Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- brandonwise
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Secrets Management
Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions.
Description
USE WHEN: Storing API keys and credentials securely Managing database passwords Handling TLS certificates Setting up automatic secret rotation Implementing least-privilege access patterns Integrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI) Deploying to Kubernetes with external secrets DON'T USE WHEN: Only need local dev values (use .env files not in git) Cannot secure access to the secrets backend Planning to hardcode secrets (don't do that)
Secrets Management Tools Comparison
ToolBest ForKey FeaturesHashiCorp VaultEnterprise, multi-cloudDynamic secrets, rotation, audit loggingAWS Secrets ManagerAWS-native workloadsRDS integration, auto-rotationAzure Key VaultAzure workloadsHSM-backed, certificate managementGoogle Secret ManagerGCP workloadsVersioning, IAM integrationGitHub SecretsGitHub ActionsSimple, per-repo/org/environmentGitLab CI VariablesGitLab CIProtected branches, masked variables
Setup
# Start Vault dev server vault server -dev # Set environment export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_TOKEN='root' # Enable secrets engine vault secrets enable -path=secret kv-v2 # Store secret vault kv put secret/database/config username=admin password=secret
GitHub Actions with Vault
name: Deploy with Vault Secrets on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Import Secrets from Vault uses: hashicorp/vault-action@v2 with: url: https://vault.example.com:8200 token: ${{ secrets.VAULT_TOKEN }} secrets: | secret/data/database username | DB_USERNAME ; secret/data/database password | DB_PASSWORD ; secret/data/api key | API_KEY - name: Use secrets run: | echo "Connecting to database as $DB_USERNAME" # Use $DB_PASSWORD, $API_KEY
GitLab CI with Vault
deploy: image: vault:latest before_script: - export VAULT_ADDR=https://vault.example.com:8200 - export VAULT_TOKEN=$VAULT_TOKEN - apk add curl jq script: - | DB_PASSWORD=$(vault kv get -field=password secret/database/config) API_KEY=$(vault kv get -field=key secret/api/credentials) echo "Deploying with secrets..."
Store Secret
aws secretsmanager create-secret \ --name production/database/password \ --secret-string "super-secret-password"
Retrieve in GitHub Actions
- name: Configure AWS credentials
- uses: aws-actions/configure-aws-credentials@v4
- with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-2
- name: Get secret from AWS
- run: |
- SECRET=$(aws secretsmanager get-secret-value \
- --secret-id production/database/password \
- --query SecretString \
- --output text)
- echo "::add-mask::$SECRET"
- echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
- name: Use secret
- run: ./deploy.sh # $DB_PASSWORD available
Terraform Integration
data "aws_secretsmanager_secret_version" "db_password" { secret_id = "production/database/password" } resource "aws_db_instance" "main" { allocated_storage = 100 engine = "postgres" instance_class = "db.t3.large" username = "admin" password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"] }
Kubernetes: External Secrets Operator
apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: vault-backend namespace: production spec: provider: vault: server: "https://vault.example.com:8200" path: "secret" version: "v2" auth: kubernetes: mountPath: "kubernetes" role: "production" --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: database-credentials namespace: production spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: database-credentials creationPolicy: Owner data: - secretKey: username remoteRef: key: database/config property: username - secretKey: password remoteRef: key: database/config property: password
Automated (AWS Lambda)
import boto3 import json def lambda_handler(event, context): client = boto3.client('secretsmanager') # Get current secret response = client.get_secret_value(SecretId='my-secret') current_secret = json.loads(response['SecretString']) # Generate new password new_password = generate_strong_password() # Update database password update_database_password(new_password) # Update secret client.put_secret_value( SecretId='my-secret', SecretString=json.dumps({ 'username': current_secret['username'], 'password': new_password }) ) return {'statusCode': 200}
Manual Rotation Process
Generate new secret Update secret in secret store Update applications to use new secret Verify functionality Revoke old secret
Pre-commit Hook
#!/bin/bash # .git/hooks/pre-commit # Check for secrets with TruffleHog docker run --rm -v "$(pwd):/repo" \ trufflesecurity/trufflehog:latest \ filesystem --directory=/repo if [ $? -ne 0 ]; then echo "โ Secret detected! Commit blocked." exit 1 fi
CI/CD Secret Scanning
secret-scan: stage: security image: trufflesecurity/trufflehog:latest script: - trufflehog filesystem . allow_failure: false
Best Practices
Never commit secrets to Git Use different secrets per environment Rotate secrets regularly (90 days max) Implement least-privilege access Enable audit logging Use secret scanning (GitGuardian, TruffleHog) Mask secrets in logs Encrypt secrets at rest Use short-lived tokens when possible Document secret requirements
Related Skills
vulnerability-scanner - For detecting exposed secrets in code api-security - For securing API credentials
Category context
Code helpers, APIs, CLIs, browser automation, testing, and developer operations.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md