{ "schemaVersion": "1.0", "item": { "slug": "secrets-management", "name": "Secrets Management", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/brandonwise/secrets-management", "canonicalUrl": "https://clawhub.ai/brandonwise/secrets-management", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/secrets-management", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secrets-management", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/secrets-management" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/secrets-management", "agentPageUrl": "https://openagent3.xyz/skills/secrets-management/agent", "manifestUrl": "https://openagent3.xyz/skills/secrets-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/secrets-management/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Secrets Management", "body": "Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions." }, { "title": "Description", "body": "USE WHEN:\n\nStoring API keys and credentials securely\nManaging database passwords\nHandling TLS certificates\nSetting up automatic secret rotation\nImplementing least-privilege access patterns\nIntegrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI)\nDeploying to Kubernetes with external secrets\n\nDON'T USE WHEN:\n\nOnly need local dev values (use .env files not in git)\nCannot secure access to the secrets backend\nPlanning to hardcode secrets (don't do that)" }, { "title": "Secrets Management Tools Comparison", "body": "ToolBest ForKey FeaturesHashiCorp VaultEnterprise, multi-cloudDynamic secrets, rotation, audit loggingAWS Secrets ManagerAWS-native workloadsRDS integration, auto-rotationAzure Key VaultAzure workloadsHSM-backed, certificate managementGoogle Secret ManagerGCP workloadsVersioning, IAM integrationGitHub SecretsGitHub ActionsSimple, per-repo/org/environmentGitLab CI VariablesGitLab CIProtected branches, masked variables" }, { "title": "Setup", "body": "# Start Vault dev server\nvault server -dev\n\n# Set environment\nexport VAULT_ADDR='http://127.0.0.1:8200'\nexport VAULT_TOKEN='root'\n\n# Enable secrets engine\nvault secrets enable -path=secret kv-v2\n\n# Store secret\nvault kv put secret/database/config username=admin password=secret" }, { "title": "GitHub Actions with Vault", "body": "name: Deploy with Vault Secrets\n\non: [push]\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Import Secrets from Vault\n uses: hashicorp/vault-action@v2\n with:\n url: https://vault.example.com:8200\n token: ${{ secrets.VAULT_TOKEN }}\n secrets: |\n secret/data/database username | DB_USERNAME ;\n secret/data/database password | DB_PASSWORD ;\n secret/data/api key | API_KEY\n\n - name: Use secrets\n run: |\n echo \"Connecting to database as $DB_USERNAME\"\n # Use $DB_PASSWORD, $API_KEY" }, { "title": "GitLab CI with Vault", "body": "deploy:\n image: vault:latest\n before_script:\n - export VAULT_ADDR=https://vault.example.com:8200\n - export VAULT_TOKEN=$VAULT_TOKEN\n - apk add curl jq\n script:\n - |\n DB_PASSWORD=$(vault kv get -field=password secret/database/config)\n API_KEY=$(vault kv get -field=key secret/api/credentials)\n echo \"Deploying with secrets...\"" }, { "title": "Store Secret", "body": "aws secretsmanager create-secret \\\n --name production/database/password \\\n --secret-string \"super-secret-password\"" }, { "title": "Retrieve in GitHub Actions", "body": "- name: Configure AWS credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n aws-region: us-west-2\n\n- name: Get secret from AWS\n run: |\n SECRET=$(aws secretsmanager get-secret-value \\\n --secret-id production/database/password \\\n --query SecretString \\\n --output text)\n echo \"::add-mask::$SECRET\"\n echo \"DB_PASSWORD=$SECRET\" >> $GITHUB_ENV\n\n- name: Use secret\n run: ./deploy.sh # $DB_PASSWORD available" }, { "title": "Terraform Integration", "body": "data \"aws_secretsmanager_secret_version\" \"db_password\" {\n secret_id = \"production/database/password\"\n}\n\nresource \"aws_db_instance\" \"main\" {\n allocated_storage = 100\n engine = \"postgres\"\n instance_class = \"db.t3.large\"\n username = \"admin\"\n password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)[\"password\"]\n}" }, { "title": "Kubernetes: External Secrets Operator", "body": "apiVersion: external-secrets.io/v1beta1\nkind: SecretStore\nmetadata:\n name: vault-backend\n namespace: production\nspec:\n provider:\n vault:\n server: \"https://vault.example.com:8200\"\n path: \"secret\"\n version: \"v2\"\n auth:\n kubernetes:\n mountPath: \"kubernetes\"\n role: \"production\"\n\n---\napiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: database-credentials\n namespace: production\nspec:\n refreshInterval: 1h\n secretStoreRef:\n name: vault-backend\n kind: SecretStore\n target:\n name: database-credentials\n creationPolicy: Owner\n data:\n - secretKey: username\n remoteRef:\n key: database/config\n property: username\n - secretKey: password\n remoteRef:\n key: database/config\n property: password" }, { "title": "Automated (AWS Lambda)", "body": "import boto3\nimport json\n\ndef lambda_handler(event, context):\n client = boto3.client('secretsmanager')\n\n # Get current secret\n response = client.get_secret_value(SecretId='my-secret')\n current_secret = json.loads(response['SecretString'])\n\n # Generate new password\n new_password = generate_strong_password()\n\n # Update database password\n update_database_password(new_password)\n\n # Update secret\n client.put_secret_value(\n SecretId='my-secret',\n SecretString=json.dumps({\n 'username': current_secret['username'],\n 'password': new_password\n })\n )\n\n return {'statusCode': 200}" }, { "title": "Manual Rotation Process", "body": "Generate new secret\nUpdate secret in secret store\nUpdate applications to use new secret\nVerify functionality\nRevoke old secret" }, { "title": "Pre-commit Hook", "body": "#!/bin/bash\n# .git/hooks/pre-commit\n\n# Check for secrets with TruffleHog\ndocker run --rm -v \"$(pwd):/repo\" \\\n trufflesecurity/trufflehog:latest \\\n filesystem --directory=/repo\n\nif [ $? -ne 0 ]; then\n echo \"❌ Secret detected! Commit blocked.\"\n exit 1\nfi" }, { "title": "CI/CD Secret Scanning", "body": "secret-scan:\n stage: security\n image: trufflesecurity/trufflehog:latest\n script:\n - trufflehog filesystem .\n allow_failure: false" }, { "title": "Best Practices", "body": "Never commit secrets to Git\nUse different secrets per environment\nRotate secrets regularly (90 days max)\nImplement least-privilege access\nEnable audit logging\nUse secret scanning (GitGuardian, TruffleHog)\nMask secrets in logs\nEncrypt secrets at rest\nUse short-lived tokens when possible\nDocument secret requirements" }, { "title": "Related Skills", "body": "vulnerability-scanner - For detecting exposed secrets in code\napi-security - For securing API credentials" } ], "body": "Secrets Management\n\nSecure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions.\n\nDescription\n\nUSE WHEN:\n\nStoring API keys and credentials securely\nManaging database passwords\nHandling TLS certificates\nSetting up automatic secret rotation\nImplementing least-privilege access patterns\nIntegrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI)\nDeploying to Kubernetes with external secrets\n\nDON'T USE WHEN:\n\nOnly need local dev values (use .env files not in git)\nCannot secure access to the secrets backend\nPlanning to hardcode secrets (don't do that)\nSecrets Management Tools Comparison\nTool\tBest For\tKey Features\nHashiCorp Vault\tEnterprise, multi-cloud\tDynamic secrets, rotation, audit logging\nAWS Secrets Manager\tAWS-native workloads\tRDS integration, auto-rotation\nAzure Key Vault\tAzure workloads\tHSM-backed, certificate management\nGoogle Secret Manager\tGCP workloads\tVersioning, IAM integration\nGitHub Secrets\tGitHub Actions\tSimple, per-repo/org/environment\nGitLab CI Variables\tGitLab CI\tProtected branches, masked variables\nHashiCorp Vault\nSetup\n# Start Vault dev server\nvault server -dev\n\n# Set environment\nexport VAULT_ADDR='http://127.0.0.1:8200'\nexport VAULT_TOKEN='root'\n\n# Enable secrets engine\nvault secrets enable -path=secret kv-v2\n\n# Store secret\nvault kv put secret/database/config username=admin password=secret\n\nGitHub Actions with Vault\nname: Deploy with Vault Secrets\n\non: [push]\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Import Secrets from Vault\n uses: hashicorp/vault-action@v2\n with:\n url: https://vault.example.com:8200\n token: ${{ secrets.VAULT_TOKEN }}\n secrets: |\n secret/data/database username | DB_USERNAME ;\n secret/data/database password | DB_PASSWORD ;\n secret/data/api key | API_KEY\n\n - name: Use secrets\n run: |\n echo \"Connecting to database as $DB_USERNAME\"\n # Use $DB_PASSWORD, $API_KEY\n\nGitLab CI with Vault\ndeploy:\n image: vault:latest\n before_script:\n - export VAULT_ADDR=https://vault.example.com:8200\n - export VAULT_TOKEN=$VAULT_TOKEN\n - apk add curl jq\n script:\n - |\n DB_PASSWORD=$(vault kv get -field=password secret/database/config)\n API_KEY=$(vault kv get -field=key secret/api/credentials)\n echo \"Deploying with secrets...\"\n\nAWS Secrets Manager\nStore Secret\naws secretsmanager create-secret \\\n --name production/database/password \\\n --secret-string \"super-secret-password\"\n\nRetrieve in GitHub Actions\n- name: Configure AWS credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n aws-region: us-west-2\n\n- name: Get secret from AWS\n run: |\n SECRET=$(aws secretsmanager get-secret-value \\\n --secret-id production/database/password \\\n --query SecretString \\\n --output text)\n echo \"::add-mask::$SECRET\"\n echo \"DB_PASSWORD=$SECRET\" >> $GITHUB_ENV\n\n- name: Use secret\n run: ./deploy.sh # $DB_PASSWORD available\n\nTerraform Integration\ndata \"aws_secretsmanager_secret_version\" \"db_password\" {\n secret_id = \"production/database/password\"\n}\n\nresource \"aws_db_instance\" \"main\" {\n allocated_storage = 100\n engine = \"postgres\"\n instance_class = \"db.t3.large\"\n username = \"admin\"\n password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)[\"password\"]\n}\n\nKubernetes: External Secrets Operator\napiVersion: external-secrets.io/v1beta1\nkind: SecretStore\nmetadata:\n name: vault-backend\n namespace: production\nspec:\n provider:\n vault:\n server: \"https://vault.example.com:8200\"\n path: \"secret\"\n version: \"v2\"\n auth:\n kubernetes:\n mountPath: \"kubernetes\"\n role: \"production\"\n\n---\napiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: database-credentials\n namespace: production\nspec:\n refreshInterval: 1h\n secretStoreRef:\n name: vault-backend\n kind: SecretStore\n target:\n name: database-credentials\n creationPolicy: Owner\n data:\n - secretKey: username\n remoteRef:\n key: database/config\n property: username\n - secretKey: password\n remoteRef:\n key: database/config\n property: password\n\nSecret Rotation\nAutomated (AWS Lambda)\nimport boto3\nimport json\n\ndef lambda_handler(event, context):\n client = boto3.client('secretsmanager')\n\n # Get current secret\n response = client.get_secret_value(SecretId='my-secret')\n current_secret = json.loads(response['SecretString'])\n\n # Generate new password\n new_password = generate_strong_password()\n\n # Update database password\n update_database_password(new_password)\n\n # Update secret\n client.put_secret_value(\n SecretId='my-secret',\n SecretString=json.dumps({\n 'username': current_secret['username'],\n 'password': new_password\n })\n )\n\n return {'statusCode': 200}\n\nManual Rotation Process\nGenerate new secret\nUpdate secret in secret store\nUpdate applications to use new secret\nVerify functionality\nRevoke old secret\nSecret Scanning\nPre-commit Hook\n#!/bin/bash\n# .git/hooks/pre-commit\n\n# Check for secrets with TruffleHog\ndocker run --rm -v \"$(pwd):/repo\" \\\n trufflesecurity/trufflehog:latest \\\n filesystem --directory=/repo\n\nif [ $? -ne 0 ]; then\n echo \"❌ Secret detected! Commit blocked.\"\n exit 1\nfi\n\nCI/CD Secret Scanning\nsecret-scan:\n stage: security\n image: trufflesecurity/trufflehog:latest\n script:\n - trufflehog filesystem .\n allow_failure: false\n\nBest Practices\nNever commit secrets to Git\nUse different secrets per environment\nRotate secrets regularly (90 days max)\nImplement least-privilege access\nEnable audit logging\nUse secret scanning (GitGuardian, TruffleHog)\nMask secrets in logs\nEncrypt secrets at rest\nUse short-lived tokens when possible\nDocument secret requirements\nRelated Skills\nvulnerability-scanner - For detecting exposed secrets in code\napi-security - For securing API credentials" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/brandonwise/secrets-management", "publisherUrl": "https://clawhub.ai/brandonwise/secrets-management", "owner": "brandonwise", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/secrets-management", "downloadUrl": "https://openagent3.xyz/downloads/secrets-management", "agentUrl": "https://openagent3.xyz/skills/secrets-management/agent", "manifestUrl": "https://openagent3.xyz/skills/secrets-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/secrets-management/agent.md" } }