# Send Secrets Management to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "secrets-management", "name": "Secrets Management", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/brandonwise/secrets-management", "canonicalUrl": "https://clawhub.ai/brandonwise/secrets-management", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/secrets-management", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secrets-management", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "secrets-management", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-08T14:58:01.342Z", "expiresAt": "2026-05-15T14:58:01.342Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secrets-management", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secrets-management", "contentDisposition": "attachment; filename=\"secrets-management-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "secrets-management" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/secrets-management" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/secrets-management", "downloadUrl": "https://openagent3.xyz/downloads/secrets-management", "agentUrl": "https://openagent3.xyz/skills/secrets-management/agent", "manifestUrl": "https://openagent3.xyz/skills/secrets-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/secrets-management/agent.md" } } ``` ## Documentation ### Secrets Management Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions. ### Description USE WHEN: Storing API keys and credentials securely Managing database passwords Handling TLS certificates Setting up automatic secret rotation Implementing least-privilege access patterns Integrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI) Deploying to Kubernetes with external secrets DON'T USE WHEN: Only need local dev values (use .env files not in git) Cannot secure access to the secrets backend Planning to hardcode secrets (don't do that) ### Secrets Management Tools Comparison ToolBest ForKey FeaturesHashiCorp VaultEnterprise, multi-cloudDynamic secrets, rotation, audit loggingAWS Secrets ManagerAWS-native workloadsRDS integration, auto-rotationAzure Key VaultAzure workloadsHSM-backed, certificate managementGoogle Secret ManagerGCP workloadsVersioning, IAM integrationGitHub SecretsGitHub ActionsSimple, per-repo/org/environmentGitLab CI VariablesGitLab CIProtected branches, masked variables ### Setup # Start Vault dev server vault server -dev # Set environment export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_TOKEN='root' # Enable secrets engine vault secrets enable -path=secret kv-v2 # Store secret vault kv put secret/database/config username=admin password=secret ### GitHub Actions with Vault name: Deploy with Vault Secrets on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Import Secrets from Vault uses: hashicorp/vault-action@v2 with: url: https://vault.example.com:8200 token: ${{ secrets.VAULT_TOKEN }} secrets: | secret/data/database username | DB_USERNAME ; secret/data/database password | DB_PASSWORD ; secret/data/api key | API_KEY - name: Use secrets run: | echo "Connecting to database as $DB_USERNAME" # Use $DB_PASSWORD, $API_KEY ### GitLab CI with Vault deploy: image: vault:latest before_script: - export VAULT_ADDR=https://vault.example.com:8200 - export VAULT_TOKEN=$VAULT_TOKEN - apk add curl jq script: - | DB_PASSWORD=$(vault kv get -field=password secret/database/config) API_KEY=$(vault kv get -field=key secret/api/credentials) echo "Deploying with secrets..." ### Store Secret aws secretsmanager create-secret \\ --name production/database/password \\ --secret-string "super-secret-password" ### Retrieve in GitHub Actions - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - name: Get secret from AWS run: | SECRET=$(aws secretsmanager get-secret-value \\ --secret-id production/database/password \\ --query SecretString \\ --output text) echo "::add-mask::$SECRET" echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV - name: Use secret run: ./deploy.sh # $DB_PASSWORD available ### Terraform Integration data "aws_secretsmanager_secret_version" "db_password" { secret_id = "production/database/password" } resource "aws_db_instance" "main" { allocated_storage = 100 engine = "postgres" instance_class = "db.t3.large" username = "admin" password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"] } ### Kubernetes: External Secrets Operator apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: vault-backend namespace: production spec: provider: vault: server: "https://vault.example.com:8200" path: "secret" version: "v2" auth: kubernetes: mountPath: "kubernetes" role: "production" --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: database-credentials namespace: production spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: database-credentials creationPolicy: Owner data: - secretKey: username remoteRef: key: database/config property: username - secretKey: password remoteRef: key: database/config property: password ### Automated (AWS Lambda) import boto3 import json def lambda_handler(event, context): client = boto3.client('secretsmanager') # Get current secret response = client.get_secret_value(SecretId='my-secret') current_secret = json.loads(response['SecretString']) # Generate new password new_password = generate_strong_password() # Update database password update_database_password(new_password) # Update secret client.put_secret_value( SecretId='my-secret', SecretString=json.dumps({ 'username': current_secret['username'], 'password': new_password }) ) return {'statusCode': 200} ### Manual Rotation Process Generate new secret Update secret in secret store Update applications to use new secret Verify functionality Revoke old secret ### Pre-commit Hook #!/bin/bash # .git/hooks/pre-commit # Check for secrets with TruffleHog docker run --rm -v "$(pwd):/repo" \\ trufflesecurity/trufflehog:latest \\ filesystem --directory=/repo if [ $? -ne 0 ]; then echo "❌ Secret detected! Commit blocked." exit 1 fi ### CI/CD Secret Scanning secret-scan: stage: security image: trufflesecurity/trufflehog:latest script: - trufflehog filesystem . allow_failure: false ### Best Practices Never commit secrets to Git Use different secrets per environment Rotate secrets regularly (90 days max) Implement least-privilege access Enable audit logging Use secret scanning (GitGuardian, TruffleHog) Mask secrets in logs Encrypt secrets at rest Use short-lived tokens when possible Document secret requirements ### Related Skills vulnerability-scanner - For detecting exposed secrets in code api-security - For securing API credentials ## Trust - Source: tencent - Verification: Indexed source record - Publisher: brandonwise - Version: 1.0.0 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-08T14:58:01.342Z - Expires at: 2026-05-15T14:58:01.342Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/secrets-management) - [Send to Agent page](https://openagent3.xyz/skills/secrets-management/agent) - [JSON manifest](https://openagent3.xyz/skills/secrets-management/agent.json) - [Markdown brief](https://openagent3.xyz/skills/secrets-management/agent.md) - [Download page](https://openagent3.xyz/downloads/secrets-management)