Vault Enhancements w/ UI
v3.0.0Vault-backed API Keys management for OpenClaw. Secure file-based secret storage with one-click migration from plaintext config, dynamic key discovery, vault...
⭐ 0· 717·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to provide vault-backed API-key management and the code matches that: it scans the local openclaw.json for API keys, writes secrets to ~/.openclaw/secrets.json (mode 0600), and patches openclaw.json to use SecretRef objects and configure the 'file' secrets provider. All required actions (reading/writing config and the secrets file, listing/migrating keys, linking skills to vault keys) are proportional to the described purpose.
Instruction Scope
The SKILL.md and implementation instruct the agent/UI to read and mutate the user's openclaw.json and to create/modify ~/.openclaw/secrets.json. This is expected for a migration/secret-management feature, but it does mean the skill will modify your configuration files and create a local secrets vault; users should be aware that migrations are destructive (they replace plaintext entries) and a restart is required for changes to take effect. The code masks values when returning lists/statuses and does not appear to return raw secret values over RPCs.
Install Mechanism
There is no external install spec or network download; the package is instruction-only with included reference source files. The implementation uses standard Node fs APIs to read/write local files and does not fetch code or binaries from external URLs. No extract/download installers observed.
Credentials
The skill requests no environment variables or external credentials. It only accesses local config paths (~/.openclaw/openclaw.json and ~/.openclaw/secrets.json), which aligns with its stated function. The code explicitly skips scanning some sensitive paths (e.g., gateway.auth.token, telegram/discord bot tokens) which is a reasonable safety measure for scope-limited scanning.
Persistence & Privilege
The skill does not request permanent/autonomous privileges (always:false) and does not require model-disable flags. However, it must and does write to user configuration and create a secrets file in the user's home directory — this is appropriate for the feature but is a privileged local operation: changes to openclaw.json are persistent and can affect gateway behavior. The UI warns a restart is required; consider backing up openclaw.json before migration.
Assessment
This skill appears to do what it claims: it creates/uses a local file-backed vault (~/.openclaw/secrets.json) and edits your OpenClaw config (~/.openclaw/openclaw.json) to replace plaintext keys with SecretRef objects. Before installing or running a one-click migration: 1) back up ~/.openclaw/openclaw.json (the migration edits that file), 2) review the included source if you want to confirm exact behavior (the package fully lists read/write handlers), 3) note that secrets are stored locally and protected by file permissions (mode 0600) but any local process/user with filesystem access could read them, and 4) there are no apparent external network or exfiltration behaviors in the code. If you prefer system secret managers (OS keyring, cloud KMS), validate whether this local file vault meets your operational security needs.Like a lobster shell, security has layers — review code before you run it.
latestvk9752wsfvvkxjwg77xzb1rpq9d823n3k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis