Cloak

v0.1.3

Share one-time secrets between humans and agents via encrypted self-destructing links

0· 277· 4 versions· 1 current· 1 all-time· Updated 13h ago· MIT-0

bySaba Tchikhinashvili@saba-ch

Security Scans

VirusTotalBenign ClawScanBenign Static analysisBenign

Install

openclaw skills install cloak

Cloak — One-Time Secret Sharing

Share API keys, passwords, and tokens via encrypted self-destructing links.

Base URL: https://cloak.opsy.sh

Create a secret

curl -s -X POST https://cloak.opsy.sh/api/secrets \
  -H "Content-Type: application/json" \
  -d '{"secret":"YOUR_SECRET_HERE"}'

Response:

{
  "id": "W9ZEykcG",
  "key": "8g9I3UUBjH3x4kdL",
  "url": "https://cloak.opsy.sh/s/W9ZEykcG#8g9I3UUBjH3x4kdL",
  "expiresAt": 1710000000
}

Share the url. The secret self-destructs after one view.

Set a custom TTL with "expiresIn" (seconds, default 24h, max 7d):

-d '{"secret":"...", "expiresIn": 3600}'

Retrieve a secret

Given a URL like https://cloak.opsy.sh/s/W9ZEykcG#8g9I3UUBjH3x4kdL:

ID = path after /s/ → W9ZEykcG
Key = fragment after # → 8g9I3UUBjH3x4kdL

curl -s -H "X-Cloak-Key: 8g9I3UUBjH3x4kdL" \
  "https://cloak.opsy.sh/api/secrets/W9ZEykcG"

Response: { "secret": "YOUR_SECRET_HERE" }

The secret is permanently destroyed after this request.

Use the secret

Pipe directly — never echo it.

# To env var
export DB_PASSWORD=$(curl -s -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID" | jq -r .secret)

# To file
curl -s -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID" | jq -r .secret > .env.local

Delete without reading

curl -s -X DELETE -H "X-Cloak-Key: KEY" "https://cloak.opsy.sh/api/secrets/ID"

Rules

NEVER display a retrieved secret in conversation.
Write it directly to its destination — env var, config file, or command.
The secret is destroyed after one read. Do not retry.
Use X-Cloak-Key header, not the ?key= query param.

Correct: "I retrieved the secret from Cloak and stored it in .env as DATABASE_URL."

Wrong: "The secret value is: sk-1234abcd..."

Quick reference

Action	Command
Create	`curl -s -X POST .../api/secrets -H "Content-Type: application/json" -d '{"secret":"..."}'`
Retrieve	`curl -s -H "X-Cloak-Key: KEY" ".../api/secrets/ID"`
Delete	`curl -s -X DELETE -H "X-Cloak-Key: KEY" ".../api/secrets/ID"`
To env var	`export VAR=$(curl -s -H "X-Cloak-Key: KEY" ".../api/secrets/ID" \| jq -r .secret)`

Version tags

encryptionvk97379rhbqxary36jetzxkfw6582wwpnlatestvk97379rhbqxary36jetzxkfw6582wwpnsecretsvk97379rhbqxary36jetzxkfw6582wwpnsecurityvk97379rhbqxary36jetzxkfw6582wwpn

Runtime requirements

🔒 Clawdis

Binscurl, jq