ClawHub

A2A Vault

v2.0.0

Zero-knowledge secrets management via PassBox — store, retrieve, rotate, and inject credentials securely.

0· 469· 1 versions· 0 current· 0 all-time· Updated 2mo ago· MIT-0
byLê Minh Hiếu@paparusi

A2A Vault (PassBox)

Zero-knowledge secrets management. Store API keys, tokens, and credentials with client-side encryption. The server never sees plaintext values.

Quick Start

Store a secret:

Use passbox_set_secret with vault "my-project", key "API_KEY", value "sk-abc123"

Retrieve a secret:

Use passbox_get_secret with vault "my-project", key "API_KEY"

Available Tools

Secret Operations

ToolDescription
passbox_get_secretRetrieve and decrypt a secret
passbox_set_secretCreate or update a secret (encrypted before upload)
passbox_list_secretsList secret names (values not returned)
passbox_delete_secretDelete a secret
passbox_rotate_secretTrigger manual secret rotation

Vault Management

ToolDescription
passbox_list_vaultsList all available vaults
passbox_list_environmentsList environments (dev, staging, prod)
passbox_get_environmentGet all secrets in an environment

.env Integration

ToolDescription
passbox_diff_envCompare local .env with vault secrets
passbox_import_envImport .env file into vault

Workflows

Set up project credentials

  1. passbox_list_vaults — see existing vaults
  2. passbox_set_secret — store each credential
  3. passbox_list_secrets — verify all keys are stored

Sync .env with vault

  1. Read your local .env file
  2. passbox_diff_env — see what's different
  3. passbox_import_env — push local secrets to vault

Environment promotion

  1. passbox_get_environment for "dev"
  2. Review values
  3. passbox_set_secret for each key in "staging"

Credential injection

Use with a2a_secure_execute to automatically inject secrets:

Use a2a_secure_execute with toolId "my-api-tool" and input { "apiKey": "{{API_KEY}}" }, vault "my-project"

The {{API_KEY}} placeholder is resolved from PassBox before execution.

Security Model

  • Client-side encryption: Values are encrypted before leaving your device
  • Zero-knowledge: The server stores only ciphertext
  • Environment isolation: dev/staging/prod secrets are fully separated
  • Audit trail: All access is logged
  • Secret rotation: Built-in rotation support with webhooks

Version tags

latestvk9793mhv8ynfbak77nafn7e4ys81nje4passboxvk9793mhv8ynfbak77nafn7e4ys81nje4secretsvk9793mhv8ynfbak77nafn7e4ys81nje4securityvk9793mhv8ynfbak77nafn7e4ys81nje4vaultvk9793mhv8ynfbak77nafn7e4ys81nje4

Runtime requirements

🔐 Clawdis

Install

Install A2A Corp pluginnpm i -g @a2a/openclaw-plugin