OpenClaw Key Management

The skill provides a credential encryption vault using AES-256-GCM, but its implementation contains significant security risks. The primary issue is in `scripts/key_manager.sh`, which generates temporary Node.js scripts by injecting unsanitized shell variables ($SECRET_NAME, $SECRET_VALUE) directly into JavaScript code blocks, making it highly vulnerable to code injection. Additionally, the scripts contain hardcoded workspace paths (e.g., `/zhaining`) and specific logic in `scripts/key_manager.sh` to target 'Instreet' API keys (`sk_inst_`), suggesting the tool is tailored for a specific environment or target. While no evidence of intentional data exfiltration was found, the poor handling of sensitive input in a security-focused tool is a major red flag.