Keys
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: keys Version: 1.0.0 The OpenClaw AgentSkills bundle 'keys' is designed for secure API key management, explicitly preventing key exposure to the agent. The `keys-broker.sh` script implements robust security measures including strict URL allowlisting, input validation, secure key retrieval from OS keychains, and preventing API keys from appearing in process lists by using temporary files for authentication headers. The `SKILL.md` and `manage.md` files contain explicit instructions for the AI agent to 'Never retrieve keys directly' and 'Never ask user to paste keys in chat', acting as strong prompt-injection defenses. There is no evidence of malicious intent, data exfiltration, unauthorized execution, or persistence mechanisms; instead, the design prioritizes security and key protection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or a prompt causes an unsafe request, it could act with the user's OpenAI, Anthropic, Stripe, or GitHub token privileges.
The broker reads API keys from the local OS keychain and attaches them to outbound authenticated API requests, giving the agent delegated account authority.
security find-generic-password -s "keys:${service}" -a "$USER" -w ... secret-tool lookup service "keys:${service}" ... printf 'Authorization: Bearer %s' "$key"Use least-privileged API keys, avoid storing high-risk production or financial tokens, and add explicit user confirmation for sensitive or mutating calls.
A mistaken or malicious instruction could create, modify, delete, or expose data in connected third-party accounts.
The tool allows broad access to entire provider API domains and permits mutating methods such as POST, PUT, PATCH, and DELETE without endpoint-level restrictions or approval checks.
["stripe"]="^https://api\.stripe\.com/" ... ["github"]="^https://api\.github\.com/" ... [[ "$method" =~ ^(GET|POST|PUT|PATCH|DELETE|HEAD)$ ]]
Restrict allowed endpoints and methods per service, deny destructive methods by default, and require user approval before account-changing requests.
A user could accidentally reveal an API key in terminal output or a shared transcript while trying to verify that it exists.
The management guide includes verification commands that print the stored key, which weakens the skill's repeated claim that keys should never be exposed to the agent context.
## Verify a Key Exists ```bash # This should return the key ... security find-generic-password ... -w ... secret-tool lookup service keys:SERVICE ```
Replace key-printing verification steps with commands that only report presence or success, and explicitly tell users not to share command output containing secrets.
The installed command will be available in future shells and can use stored keys when invoked.
The setup is a manual local install of a shell script into the user's PATH and modifies shell startup configuration; this is purpose-aligned but important because the script handles API keys.
cp keys-broker.sh ~/.local/bin/keys-broker chmod +x ~/.local/bin/keys-broker echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
Review the script before installing, install it only from a trusted copy, and remove the PATH entry if you stop using the skill.