ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentlair Vault

v1.1.0

Store and fetch credentials securely at runtime via AgentLair Vault REST API. Use when an agent needs to read an API key, store a secret, rotate credentials,...

0· 55·1 current·1 all-time
by@hawkaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md instructs only how to store, fetch, rotate, list, and delete secrets via the AgentLair Vault REST API. Required binary (curl) and primaryEnv (AGENTLAIR_API_KEY) are appropriate and proportionate for this purpose.
Instruction Scope
All runtime instructions are explicit curl calls to https://agentlair.dev endpoints using the AGENTLAIR_API_KEY bearer token. The instructions do not direct the agent to read local files, other environment variables, or system configuration unrelated to vault operations. Note: the intended behavior is to transmit secrets to the remote vault service (this is expected for a vault integration).
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes on-disk footprint and is proportionate for a wrapper around an HTTP API; required tools are limited to curl.
Credentials
Only a single primary credential (AGENTLAIR_API_KEY) is declared and used in the instructions. No additional unrelated secrets or config paths are requested. Requiring one API key to use the remote vault is appropriate.
Persistence & Privilege
always is false and there are no install steps that modify agent-wide configuration. The skill does not request elevated or persistent platform privileges beyond normal autonomous invocation behavior.
Assessment
This skill appears internally consistent and simply documents how an agent should call the AgentLair Vault API using curl and a single AGENTLAIR_API_KEY. Before installing, confirm you trust the external service (https://agentlair.dev) because storing secrets in the vault means the remote service handles/retains your credentials according to its policies. Keep AGENTLAIR_API_KEY secret and consider using least-privilege or short-lived keys. Because this is instruction-only, the agent will perform network calls directly—ensure your agent environment is allowed to make outbound HTTPS requests. If you need a higher assurance, review AgentLair's privacy/retention/audit docs or prefer an on-premises vault. If you want additional checks, ask for the service's security documentation or a signed SLA before placing highly sensitive keys there.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7ww3gypdzafhgrhgjy3kr183qne6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
OSLinux · macOS · Windows
Binscurl
Primary envAGENTLAIR_API_KEY

Comments