Openclaw
v2.1.0Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration.
⭐ 2· 1.2k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (key management, session keys, delegation) aligns with the content: examples center on 1Password CLI ('op'), session-key patterns, ERC-4337/Delegation Framework integration, and prompt-injection defenses. Declaring 'op' as the required binary is appropriate given the heavy 1Password usage. The skill references other tooling (Foundry, gitleaks, Vault, AWS SDK) but only as optional integrations or examples — not required env vars — which is proportionate to the stated purpose.
Instruction Scope
SKILL.md is instruction-only and stays focused on secret retrieval, sanitization, input validation, session keys, and delegation. It contains runnable examples (op signin/read/run, subprocess/execSync calls, pre-commit hooks, git filter-branch remediation) which are expected for an operational guide. Note: some remediation commands (git filter-branch + force push) are destructive and the pre-commit sample mentions a bypass (git commit --no-verify) — operators should treat those with caution and not run destructive commands without understanding them. The file also includes explicit defensive patterns that match common jailbreak phrases (e.g., 'ignore previous instructions').
Install Mechanism
There is no install spec (instruction-only), which minimizes disk-write risk. The guide recommends installing well-known tools via brew (1Password CLI, gitleaks) — a low-risk, expected approach for this purpose. No remote download+extract operations are embedded in the skill itself.
Credentials
The skill declares no required env vars or credentials, which is consistent with an operations guide that uses a secret manager (1Password). The examples do show alternate integrations (AWS Secrets Manager, Vault) and systemd/Secrets usage; those imply operator-provided credentials at runtime but the skill does not request unrelated secrets. Important operator responsibility: follow the guide to ensure the agent vault only exposes session keys (not master keys) and restrict agent read permissions; misconfiguration could give excessive access.
Persistence & Privilege
The skill is not always-included and does not request persistent system changes itself (instruction-only). It does not modify other skills or system-wide agent settings. It does describe creating vaults and pre-commit hooks, which are normal operational artifacts but require operator approval to deploy.
Scan Findings in Context
[prompt-injection] expected: The pre-scan flagged 'ignore-previous-instructions' and related jailbreak phrases. Those strings appear inside the skill as examples of attacks and in the InputValidator block (they are being detected and blocked by the skill itself), so the finding is expected and appears defensive rather than adversarial.
Assessment
This is an instruction-only security pattern library that expects you to run and configure tooling (1Password CLI, optional Foundry/gitleaks, Python/Node examples). Before using: 1) Verify the skill source (check the GitHub repo and commit history) and review any code snippets you plan to run. 2) Install and sign into 1Password yourself; create a dedicated 'Agent-Credentials' vault and ensure the agent account has only the minimal read permissions for session keys — never give the agent master keys. 3) Treat remediation commands (git filter-branch, force-push) as destructive — test backups and use safer git-secret-removal tools if unsure. 4) Review and test the InputValidator and OutputSanitizer in an isolated environment; do not assume they are perfect. 5) If you plan to let the agent act autonomously, add human confirmation steps and monitoring/alerts for secret access and transactions. If you want higher assurance, ask the skill author for an authoritative release repo, signed releases, and small runnable testcases you can audit before granting any agent access to real funds or secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk976sqd6c7xqcky70q6wt09rfh80rvsq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
Binsop