Secret Portal
v0.1.0Spin up a one-time web UI for securely entering secret keys and env vars. Supports guided instructions, single-key mode, and cloudflared tunneling.
⭐ 0· 835·3 current·3 all-time
byAaron Levin@awlevin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill tells the agent to run the 'uv' CLI to start a secret-entry portal; the single required binary ('uv') and the provided brew install entry for 'uv' match the documented usage. Required env vars/creds are none, which aligns with a simple UI-for-secrets purpose.
Instruction Scope
SKILL.md instructs executing 'uv run --with secret-portal secret-portal' and passing a path to save secrets (e.g., -f ~/.env). That is within the stated purpose, but it also encourages using '--tunnel cloudflared' and claims cloudflared will be auto-downloaded. The skill is instruction-only and therefore causes execution of an external binary that may download additional executables and perform network operations; the file-writing behavior (saving secrets to disk) and the unverified claims about not logging secrets are sensitive and not enforced by this manifest.
Install Mechanism
Install spec only installs 'uv' via brew (reasonable). However, SKILL.md references auto-downloading 'cloudflared' (a separate binary) when using the recommended tunnel; that secondary download is not declared in the install spec and would be performed at runtime by the external tool. Automatic fetching/extracting of additional binaries by a third-party CLI increases risk and should be validated.
Credentials
The skill declares no environment variables, no credentials, and no config paths. There are no extraneous credential requests in the manifest. Writing secrets to a file is the primary action and is consistent with the stated purpose, though it requires trust in the invoked CLI's behavior.
Persistence & Privilege
The skill does not request always:true, does not alter other skills' configs, and is user-invocable only. It will write a secrets file at a user-specified path, which is expected for this functionality and is not the same as requesting persistent elevated privileges.
What to consider before installing
This skill is a coherent wrapper for an external tool (uv) that will run a one‑time secret entry UI and write secrets to a file. Before installing or using it: 1) Verify the 'uv' CLI and the referenced GitHub project (https://github.com/Olafs-World/secret-portal) — inspect the code or the package source so you know what will run. 2) Confirm how 'cloudflared' (or any tunnel binary) is downloaded and from which URL; prefer tooling that pulls releases from official, signed sources. 3) Choose the env-file path deliberately (avoid world-readable locations) and consider using a temporary VM/container or ephemeral workspace to limit exposure. 4) If you cannot audit the external binaries, avoid passing high‑value secrets (production API keys) to this flow. 5) If you need stronger guarantees about logging/exfiltration, require cryptographic verification of binaries or use a known audited tool instead.Like a lobster shell, security has layers — review code before you run it.
latestvk977nkvmcq54dxnrp0t8ggg8ts80xcm0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv