Janee
Secrets management for AI agents. Never expose your API keys again.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 2.3k · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The repo and SKILL.md describe an MCP-based secrets proxy (Janee) and an OpenClaw plugin that spawns the Janee process. However the skill metadata declares no required binaries while the plugin code expects a global 'janee' executable (it spawns `janee serve`). Also the init template writes a 'masterKey' into the same config file it uses to store services, which would negate encryption-at-rest if the master key and encrypted data are colocated. These are direct mismatches between the stated security purpose and what the implementation does/assumes.
Instruction Scope
SKILL.md instructs installing npm package globally, running `janee init` (which writes ~/.janee/config.yaml containing a masterKey), adding services, and starting `janee serve`. That scope is reasonable for a local secrets proxy — but the init behavior (inserting a generated masterKey into the config file) contradicts 'keys encrypted at rest' because the key used to decrypt would live next to the ciphertext. The OpenClaw plugin will also spawn a subprocess (`janee serve`) and communicate via stdio; this grants the plugin the ability to run arbitrary code as the user if the installed binary is compromised.
Install Mechanism
There is no registry install spec in the skill metadata (instruction-only), but SKILL.md and package.json expect global npm installation (`npm install -g @true-and-useful/janee`). That is a normal install method, but the registry metadata not listing the required binary is an oversight. The package sources are present in the bundle (package.json, package-lock), not a remote URL install, so install risk is the usual npm-package provenance risk rather than a mysterious remote download.
Credentials
The skill declares no required environment variables, which is plausible for a local-only tool. However the example config template includes an optional LLM provider section that references 'apiKey: env:OPENAI_API_KEY' — that is optional but not surfaced as a required env var. The biggest proportionality problem: the init writes a generated masterKey into config.yaml (mode 0600) — storing the decryption key alongside (or inside) what is supposed to be 'encrypted at rest' is disproportionate to the stated security goal and undermines the protection model.
Persistence & Privilege
The skill does not request 'always: true' and uses the normal plugin model. It registers tools that let an agent request actions via the Janee MCP server; that autonomous invocation is expected for this kind of plugin. Note that the OpenClaw plugin will spawn and manage a local 'janee' subprocess (user-level), so the plugin effectively grants the agent an RPC to a process on the user's machine — appropriate for the purpose but worth auditing because it runs as the user.
What to consider before installing
What to check before installing or using this skill:
- Master key handling: inspect src/core/crypto.ts and the init flow. The init template writes a 'masterKey' into ~/.janee/config.yaml. If the master key is stored in the same file as the encrypted credentials, encryption provides no protection — a compromise of that file yields immediate key exposure. Require the author to explain where the master key is stored and to use a proper OS-level key store (e.g., macOS Keychain, Windows DPAPI, Linux kernel keyring) or at minimum keep the master key separate and not in the same plaintext config.
- Binary provenance: the OpenClaw plugin spawns a subprocess by executing the 'janee' binary. The registry metadata did not declare a required binary; ensure you actually install the npm package from a trusted source and verify the package contents (and checksums) before running. A malicious 'janee' binary would run as your user.
- Audit the code that performs decryption and network access (src/core/* and MCP server code). Confirm network endpoints and any optional LLM integration do not leak secrets to third-party services. The template shows optional LLM provider configuration that can read an env var (e.g., OPENAI_API_KEY) — if you enable such features, be explicit about required env vars and trust boundaries.
- File permissions and logs: the code sets config and logs directories with 0700/0600 modes — good practice. Still review where logs are written (~/.janee/logs) as they contain request metadata and may include agent-provided 'reason' text. Ensure logs do not accidentally include plaintext keys.
- Least privilege and policies: the rule/policy system appears coherent (deny-before-allow), but test it thoroughly (unit tests included). For sensitive services, prefer narrow capabilities and require human approval (requiresReason) and consider running Janee in an isolated account or container to limit blast radius.
- If you cannot confirm the masterKey handling and binary provenance, treat the project as untrusted. Ask the author/maintainer to clarify and fix: (1) do not store the master decryption key in the same config file as ciphertext, (2) declare the required binary/runtime in metadata, and (3) document network endpoints and any optional external services.
Confidence: high that these inconsistencies are real from the provided sources; resolving them would change the assessment to benign if the master key storage and binary provenance issues are fixed and documented.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.2
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Janee
Secrets management for AI agents. Store API keys encrypted, make requests through Janee, never touch the real key.
Why Use Janee?
Most skills tell you to store API keys in plaintext config files. One prompt injection, one leaked log, one compromised session — and your keys are exposed.
Janee fixes this:
- Keys encrypted at rest — not plaintext JSON
- Agent never sees the real key — requests go through Janee
- Path-based policies — restrict what endpoints can be called
- Full audit trail — every request logged
- Kill switch — revoke access without rotating keys
Install
npm install -g @true-and-useful/janee
janee init
Add a Service
janee add
Follow the prompts to add your API credentials. Keys are encrypted automatically.
Use in Your Agent
Instead of calling APIs directly with your key, call them through Janee:
# Old way (dangerous):
curl -H "Authorization: Bearer sk_live_xxx" https://api.stripe.com/v1/balance
# Janee way (safe):
# Agent calls execute(capability, method, path) via MCP
# Janee injects the key, agent never sees it
OpenClaw Integration
Install the OpenClaw plugin for native tool support:
openclaw plugins install @true-and-useful/janee-openclaw
Your agent now has:
janee_list_services— see available APIsjanee_execute— make requests through Janeejanee_reload_config— hot-reload after config changes
Example: Secure Moltbook Access
Instead of storing your Moltbook key in ~/.config/moltbook/credentials.json:
janee add moltbook -u https://www.moltbook.com/api/v1 -k YOUR_KEY
Then use Janee to post:
# Your agent calls:
janee_execute(service="moltbook", method="POST", path="/posts", body=...)
Your Moltbook key stays encrypted. Even if your agent is compromised, the key can't be exfiltrated.
Config Example
services:
stripe:
baseUrl: https://api.stripe.com
auth:
type: bearer
key: sk_live_xxx # encrypted
moltbook:
baseUrl: https://www.moltbook.com/api/v1
auth:
type: bearer
key: moltbook_sk_xxx # encrypted
capabilities:
stripe_readonly:
service: stripe
rules:
allow: [GET *]
deny: [POST *, DELETE *]
moltbook:
service: moltbook
ttl: 1h
autoApprove: true
Architecture
┌─────────────┐ ┌──────────┐ ┌─────────┐
│ AI Agent │─────▶│ Janee │─────▶│ API │
│ │ MCP │ │ HTTP │ │
└─────────────┘ └──────────┘ └─────────┘
│ │
No key Injects key
+ logs request
Links
Files
30 totalSelect a file
Select a file to preview.
Comments
Loading comments…