{ "schemaVersion": "1.0", "item": { "slug": "vincent-credentials", "name": "Vincent - Credentials", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/glitch003/vincent-credentials", "canonicalUrl": "https://clawhub.ai/glitch003/vincent-credentials", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/vincent-credentials", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vincent-credentials", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/vincent-credentials" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/vincent-credentials", "agentPageUrl": "https://openagent3.xyz/skills/vincent-credentials/agent", "manifestUrl": "https://openagent3.xyz/skills/vincent-credentials/agent.json", "briefUrl": "https://openagent3.xyz/skills/vincent-credentials/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Vincent - Credentials for agents", "body": "Use this skill to securely manage credentials that your application needs — API keys, passwords, OAuth tokens, SSH keys, or structured username/password pairs. The agent creates a secret, the user (or agent) sets the value, and the agent uses the CLI to write it directly to a .env file. The credential value never appears in the agent's context or stdout.\n\nThis is useful when the agent is building something that needs credentials (e.g. a third-party API key). Instead of the user pasting the credential into chat (where it enters the agent's context), they set it via the Vincent dashboard, and the agent writes it to the .env file using the CLI.\n\nAll commands use the @vincentai/cli package. API keys are stored and resolved automatically — you never handle raw keys or file paths." }, { "title": "Security Model", "body": "This skill is designed for keeping credentials out of the agent's context window.\n\nHow it works: The secret env CLI command fetches the credential from the Vincent server and writes it directly to a .env file on disk. The value is never printed to stdout and never appears in the agent's conversation context. Many agent frameworks blacklist reading .env files, so even though the file is on disk, the agent cannot read it back. The application the agent is building reads the .env file normally at runtime.\n\nNo environment variables are required because this skill uses agent-first onboarding: the agent creates its own credential secret at runtime by calling the Vincent API, which returns a scoped API key. The CLI stores the returned API key automatically during creation. The config paths where the key is persisted (${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/credentials/credentials/ or ./credentials/) are declared in this skill's metadata.\n\nOverwrite guard: Once a value is set by an agent's API key, only that same API key can overwrite it. This prevents other agents or keys from tampering with the credential. The guard is enforced atomically at the database level.\n\nAll API calls go exclusively to heyvincent.ai over HTTPS/TLS. No other endpoints, services, or external hosts are contacted.\n\nKey lifecycle:\n\nCreation: The agent runs secret create with --type CREDENTIALS — the CLI stores the API key automatically and returns a keyId and claimUrl.\nValue set: The user sets the credential value via the dashboard after claiming, or the agent sets it via the CLI.\nWrite to .env: The agent runs secret env to write the value to a .env file without exposing it.\nClaim: The human operator uses the claim URL to take ownership and manage the secret from the dashboard.\nRevocation: The secret owner can revoke the agent's API key at any time from https://heyvincent.ai." }, { "title": "Secret Types", "body": "TypeValue formatUse caseAPI_KEYNon-empty stringThird-party API keysSSH_KEYNon-empty stringSSH private keysOAUTH_TOKENNon-empty stringOAuth access/refresh tokensCREDENTIALSJSON object with password or secretUsername/password, key/secret pairs\n\nAll four types support the same create, set, and env workflow." }, { "title": "CREDENTIALS Value Format", "body": "The CREDENTIALS value must be a JSON object containing at least one of:\n\npassword (string) — e.g. {\"username\": \"alice\", \"password\": \"hunter2\"}\nsecret (string) — e.g. {\"accountId\": \"acct-1\", \"secret\": \"top-secret\"}\n\nAdditional fields are preserved as-is. All values are limited to 16KB." }, { "title": "1. Check for Existing Keys", "body": "Before creating a new secret, check if one already exists:\n\nnpx @vincentai/cli@latest secret list --type CREDENTIALS\n\nIf a key is returned, use its id as the --key-id for subsequent commands. If no keys exist, create a new secret." }, { "title": "2. Create a Credentials Secret", "body": "npx @vincentai/cli@latest secret create --type CREDENTIALS --memo \"Acme API credentials\"\n\nReturns keyId (use for all future commands), claimUrl (share with the user), and secretId.\n\nAfter creating, tell the user:\n\n\"Here is your credentials claim URL: . Use this to claim ownership and set the credential value at https://heyvincent.ai.\"" }, { "title": "3. Set the Credential Value", "body": "Option A: User sets via dashboard (recommended)\n\nThe user claims the secret using the claim URL, then sets the credential value from the dashboard. This keeps the value completely out of the agent's hands.\n\nOption B: Agent sets via CLI\n\nFor agent-first workflows where the agent has the credential (e.g. it obtained an API key from a service):\n\nnpx @vincentai/cli@latest secret set-value --key-id --value '{\"username\": \"alice\", \"password\": \"hunter2\"}'\n\nFor simple string types (API_KEY, SSH_KEY, OAUTH_TOKEN):\n\nnpx @vincentai/cli@latest secret set-value --key-id --value \"sk-my-third-party-api-key\"" }, { "title": "4. Write to .env File", "body": "Once the value is set (by the user or the agent), use the CLI to write it to a .env file. The value is never printed to stdout.\n\n# Write an API_KEY secret as an env var\nnpx @vincentai/cli@latest secret env --key-id --env-var ACME_API_KEY\n\n# For CREDENTIALS: extract a specific field\nnpx @vincentai/cli@latest secret env --key-id --env-var DB_PASSWORD --field password\n\n# Write to a specific path (default: ./.env)\nnpx @vincentai/cli@latest secret env --key-id --env-var SERVICE_TOKEN --path ./config/.env\n\nThe command outputs a confirmation JSON (without the value) so the agent knows it succeeded:\n\n{\n \"written\": \"ACME_API_KEY\",\n \"path\": \"/path/to/.env\",\n \"type\": \"API_KEY\"\n}\n\nFlags:\n\nFlagRequiredDescription--env-varYesEnvironment variable name (e.g. MY_API_KEY)--pathNoPath to .env file (default: ./.env)--key-idNoAPI key ID (auto-discovered if only one credential key exists)--fieldNoFor CREDENTIALS type: extract a specific JSON field instead of writing the full JSON\n\nBehavior:\n\nCreates the .env file if it doesn't exist (with 0600 permissions)\nUpdates the variable in-place if it already exists in the file\nAppends a new line if the variable doesn't exist\nValues with special characters are automatically quoted" }, { "title": "5. Use in Your Application", "body": "Your application reads the .env file normally:\n\n# Node.js with dotenv\nrequire('dotenv').config()\nconst apiKey = process.env.ACME_API_KEY\n\n# Python with python-dotenv\nfrom dotenv import load_dotenv\nload_dotenv()\napi_key = os.getenv('ACME_API_KEY')" }, { "title": "Example: Full Workflow", "body": "# 1. Agent creates a CREDENTIALS secret\nnpx @vincentai/cli@latest secret create --type CREDENTIALS --memo \"Acme service credentials\"\n# → keyId: abc-123, claimUrl: https://heyvincent.ai/claim/...\n\n# 2. Tell the user to claim and set the value via the dashboard\n\n# 3. Once set, write individual fields to .env\nnpx @vincentai/cli@latest secret env --key-id abc-123 --env-var ACME_USERNAME --field username\nnpx @vincentai/cli@latest secret env --key-id abc-123 --env-var ACME_PASSWORD --field password\n\n# Result in .env:\n# ACME_USERNAME=alice\n# ACME_PASSWORD=hunter2" }, { "title": "Output Format", "body": "The secret env command outputs a confirmation JSON (without the credential value):\n\n{\n \"written\": \"ACME_API_KEY\",\n \"path\": \"/path/to/.env\",\n \"type\": \"API_KEY\"\n}\n\nThe secret create command returns:\n\n{\n \"keyId\": \"abc-123\",\n \"claimUrl\": \"https://heyvincent.ai/claim/...\",\n \"secretId\": \"sec-456\"\n}" }, { "title": "Error Handling", "body": "ErrorCauseResolution401 UnauthorizedInvalid or missing API keyCheck that the key-id is correct; re-link if needed403 Overwrite RejectedA different API key set this credential's valueSecret owner must manage from the dashboard404 Value Not SetCredential value hasn't been set yetUser must set the value via dashboard or agent sets via CLIKey not foundAPI key was revoked or never createdRe-link with a new token from the secret owner" }, { "title": "Re-linking (Recovering API Access)", "body": "If the agent loses its API key, the secret owner can generate a re-link token from the frontend. The agent then exchanges this token for a new API key.\n\nnpx @vincentai/cli@latest secret relink --token \n\nThe CLI exchanges the token for a new API key, stores it automatically, and returns the new keyId. Re-link tokens are one-time use and expire after 10 minutes." }, { "title": "Important Notes", "body": "The credential value never enters the agent's context. The secret env command writes directly to a file — it does not print the value to stdout.\nMany agent frameworks (OpenClaw, Claude Code, etc.) blacklist reading .env files, providing an additional layer of protection.\nAlways share the claim URL with the user after creating a secret.\nThe 16KB size limit applies to the serialized value.\nIf the overwrite is rejected with a 403, it means a different API key set the value. The secret owner can manage this from the dashboard." } ], "body": "Vincent - Credentials for agents\n\nUse this skill to securely manage credentials that your application needs — API keys, passwords, OAuth tokens, SSH keys, or structured username/password pairs. The agent creates a secret, the user (or agent) sets the value, and the agent uses the CLI to write it directly to a .env file. The credential value never appears in the agent's context or stdout.\n\nThis is useful when the agent is building something that needs credentials (e.g. a third-party API key). Instead of the user pasting the credential into chat (where it enters the agent's context), they set it via the Vincent dashboard, and the agent writes it to the .env file using the CLI.\n\nAll commands use the @vincentai/cli package. API keys are stored and resolved automatically — you never handle raw keys or file paths.\n\nSecurity Model\n\nThis skill is designed for keeping credentials out of the agent's context window.\n\nHow it works: The secret env CLI command fetches the credential from the Vincent server and writes it directly to a .env file on disk. The value is never printed to stdout and never appears in the agent's conversation context. Many agent frameworks blacklist reading .env files, so even though the file is on disk, the agent cannot read it back. The application the agent is building reads the .env file normally at runtime.\n\nNo environment variables are required because this skill uses agent-first onboarding: the agent creates its own credential secret at runtime by calling the Vincent API, which returns a scoped API key. The CLI stores the returned API key automatically during creation. The config paths where the key is persisted (${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/credentials/credentials/ or ./credentials/) are declared in this skill's metadata.\n\nOverwrite guard: Once a value is set by an agent's API key, only that same API key can overwrite it. This prevents other agents or keys from tampering with the credential. The guard is enforced atomically at the database level.\n\nAll API calls go exclusively to heyvincent.ai over HTTPS/TLS. No other endpoints, services, or external hosts are contacted.\n\nKey lifecycle:\n\nCreation: The agent runs secret create with --type CREDENTIALS — the CLI stores the API key automatically and returns a keyId and claimUrl.\nValue set: The user sets the credential value via the dashboard after claiming, or the agent sets it via the CLI.\nWrite to .env: The agent runs secret env to write the value to a .env file without exposing it.\nClaim: The human operator uses the claim URL to take ownership and manage the secret from the dashboard.\nRevocation: The secret owner can revoke the agent's API key at any time from https://heyvincent.ai.\nSecret Types\nType\tValue format\tUse case\nAPI_KEY\tNon-empty string\tThird-party API keys\nSSH_KEY\tNon-empty string\tSSH private keys\nOAUTH_TOKEN\tNon-empty string\tOAuth access/refresh tokens\nCREDENTIALS\tJSON object with password or secret\tUsername/password, key/secret pairs\n\nAll four types support the same create, set, and env workflow.\n\nCREDENTIALS Value Format\n\nThe CREDENTIALS value must be a JSON object containing at least one of:\n\npassword (string) — e.g. {\"username\": \"alice\", \"password\": \"hunter2\"}\nsecret (string) — e.g. {\"accountId\": \"acct-1\", \"secret\": \"top-secret\"}\n\nAdditional fields are preserved as-is. All values are limited to 16KB.\n\nQuick Start\n1. Check for Existing Keys\n\nBefore creating a new secret, check if one already exists:\n\nnpx @vincentai/cli@latest secret list --type CREDENTIALS\n\n\nIf a key is returned, use its id as the --key-id for subsequent commands. If no keys exist, create a new secret.\n\n2. Create a Credentials Secret\nnpx @vincentai/cli@latest secret create --type CREDENTIALS --memo \"Acme API credentials\"\n\n\nReturns keyId (use for all future commands), claimUrl (share with the user), and secretId.\n\nAfter creating, tell the user:\n\n\"Here is your credentials claim URL: . Use this to claim ownership and set the credential value at https://heyvincent.ai.\"\n\n3. Set the Credential Value\n\nOption A: User sets via dashboard (recommended)\n\nThe user claims the secret using the claim URL, then sets the credential value from the dashboard. This keeps the value completely out of the agent's hands.\n\nOption B: Agent sets via CLI\n\nFor agent-first workflows where the agent has the credential (e.g. it obtained an API key from a service):\n\nnpx @vincentai/cli@latest secret set-value --key-id --value '{\"username\": \"alice\", \"password\": \"hunter2\"}'\n\n\nFor simple string types (API_KEY, SSH_KEY, OAUTH_TOKEN):\n\nnpx @vincentai/cli@latest secret set-value --key-id --value \"sk-my-third-party-api-key\"\n\n4. Write to .env File\n\nOnce the value is set (by the user or the agent), use the CLI to write it to a .env file. The value is never printed to stdout.\n\n# Write an API_KEY secret as an env var\nnpx @vincentai/cli@latest secret env --key-id --env-var ACME_API_KEY\n\n# For CREDENTIALS: extract a specific field\nnpx @vincentai/cli@latest secret env --key-id --env-var DB_PASSWORD --field password\n\n# Write to a specific path (default: ./.env)\nnpx @vincentai/cli@latest secret env --key-id --env-var SERVICE_TOKEN --path ./config/.env\n\n\nThe command outputs a confirmation JSON (without the value) so the agent knows it succeeded:\n\n{\n \"written\": \"ACME_API_KEY\",\n \"path\": \"/path/to/.env\",\n \"type\": \"API_KEY\"\n}\n\n\nFlags:\n\nFlag\tRequired\tDescription\n--env-var\tYes\tEnvironment variable name (e.g. MY_API_KEY)\n--path\tNo\tPath to .env file (default: ./.env)\n--key-id\tNo\tAPI key ID (auto-discovered if only one credential key exists)\n--field\tNo\tFor CREDENTIALS type: extract a specific JSON field instead of writing the full JSON\n\nBehavior:\n\nCreates the .env file if it doesn't exist (with 0600 permissions)\nUpdates the variable in-place if it already exists in the file\nAppends a new line if the variable doesn't exist\nValues with special characters are automatically quoted\n5. Use in Your Application\n\nYour application reads the .env file normally:\n\n# Node.js with dotenv\nrequire('dotenv').config()\nconst apiKey = process.env.ACME_API_KEY\n\n# Python with python-dotenv\nfrom dotenv import load_dotenv\nload_dotenv()\napi_key = os.getenv('ACME_API_KEY')\n\nExample: Full Workflow\n# 1. Agent creates a CREDENTIALS secret\nnpx @vincentai/cli@latest secret create --type CREDENTIALS --memo \"Acme service credentials\"\n# → keyId: abc-123, claimUrl: https://heyvincent.ai/claim/...\n\n# 2. Tell the user to claim and set the value via the dashboard\n\n# 3. Once set, write individual fields to .env\nnpx @vincentai/cli@latest secret env --key-id abc-123 --env-var ACME_USERNAME --field username\nnpx @vincentai/cli@latest secret env --key-id abc-123 --env-var ACME_PASSWORD --field password\n\n# Result in .env:\n# ACME_USERNAME=alice\n# ACME_PASSWORD=hunter2\n\nOutput Format\n\nThe secret env command outputs a confirmation JSON (without the credential value):\n\n{\n \"written\": \"ACME_API_KEY\",\n \"path\": \"/path/to/.env\",\n \"type\": \"API_KEY\"\n}\n\n\nThe secret create command returns:\n\n{\n \"keyId\": \"abc-123\",\n \"claimUrl\": \"https://heyvincent.ai/claim/...\",\n \"secretId\": \"sec-456\"\n}\n\nError Handling\nError\tCause\tResolution\n401 Unauthorized\tInvalid or missing API key\tCheck that the key-id is correct; re-link if needed\n403 Overwrite Rejected\tA different API key set this credential's value\tSecret owner must manage from the dashboard\n404 Value Not Set\tCredential value hasn't been set yet\tUser must set the value via dashboard or agent sets via CLI\nKey not found\tAPI key was revoked or never created\tRe-link with a new token from the secret owner\nRe-linking (Recovering API Access)\n\nIf the agent loses its API key, the secret owner can generate a re-link token from the frontend. The agent then exchanges this token for a new API key.\n\nnpx @vincentai/cli@latest secret relink --token \n\n\nThe CLI exchanges the token for a new API key, stores it automatically, and returns the new keyId. Re-link tokens are one-time use and expire after 10 minutes.\n\nImportant Notes\nThe credential value never enters the agent's context. The secret env command writes directly to a file — it does not print the value to stdout.\nMany agent frameworks (OpenClaw, Claude Code, etc.) blacklist reading .env files, providing an additional layer of protection.\nAlways share the claim URL with the user after creating a secret.\nThe 16KB size limit applies to the serialized value.\nIf the overwrite is rejected with a 403, it means a different API key set the value. The secret owner can manage this from the dashboard." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/glitch003/vincent-credentials", "publisherUrl": "https://clawhub.ai/glitch003/vincent-credentials", "owner": "glitch003", "version": "1.0.69", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/vincent-credentials", "downloadUrl": "https://openagent3.xyz/downloads/vincent-credentials", "agentUrl": "https://openagent3.xyz/skills/vincent-credentials/agent", "manifestUrl": "https://openagent3.xyz/skills/vincent-credentials/agent.json", "briefUrl": "https://openagent3.xyz/skills/vincent-credentials/agent.md" } }