Secure API Calls
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: secure-api-calls Version: 1.0.3 The skill is classified as suspicious due to its reliance on installing a global npm package (`keychains@0.0.13`) and the local generation of an Ed25519 SSH keypair in `~/.keychains/` by the `keychains` CLI, as detailed in `SKILL.md`. While the skill's stated purpose is to enhance security by abstracting credentials via a proxy service (`keychains.dev`), these operations introduce significant supply chain risks and trust requirements. If the `keychains` package or the `keychains.dev` service were compromised, it could lead to unauthorized access or credential leakage, despite the skill's explicit claims of security and privacy.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use connected accounts to call read or write endpoints, including posting messages or changing account data, without a clearly documented per-request confirmation step.
The skill exposes a raw curl-like API path with credential injection and includes a mutating API example; after one approval, later provider requests are described as automatic.
Use `keychains curl` instead of `curl`... Send Slack message: `keychains curl https://slack.com/api/chat.postMessage -X POST ...` ... All future requests to that provider succeed instantly.
Require explicit user confirmation before write, delete, payment, email, posting, or administrative API calls; prefer read-only scopes and provider allowlists.
Approving a provider may let the agent act as you on that service until the authorization is revoked or scoped down.
The skill delegates real OAuth tokens and API keys for arbitrary providers to the proxy, giving the agent effective account authority through placeholders.
Instead of real API keys and OAuth tokens, you use placeholders like `{{OAUTH2_ACCESS_TOKEN}}`. Keychains injects the real credentials server-side ... Anything else | API key | `{{STRIPE_SECRET_KEY}}`, `{{OPENAI_API_KEY}}`.Use least-privilege credentials, document exact scopes, revoke unused connections in the Keychains dashboard, and avoid approving broad account access unless necessary.
Even if credentials are hidden from the agent, API request details may be visible to Keychains and retained in audit logs.
The proxy data flow is disclosed, but full request metadata and possibly sensitive URLs pass through and are logged by a third-party service.
Your request (URL, headers, body) is routed through keychains.dev ... Every proxied request is logged (URL, method, provider, timestamp, status code). Archived to AWS S3 ... retention (30 days–3 years).
Avoid placing sensitive data in URLs or unnecessary request bodies, review Keychains privacy/retention settings, and use direct provider access for data that should not transit the proxy.
Installing the skill requires trusting the external Keychains CLI package and its update/provenance chain.
The installed global CLI is an external npm package that was not included in the artifacts for static review, though it is pinned and expected for the skill.
Source: unknown ... Install specifications: node | package: keychains@0.0.13 | creates binaries: keychains ... No code files present.
Verify the npm package publisher and homepage, install in a controlled environment, and monitor package versions before upgrading.
The machine may retain the ability to use approved provider connections beyond the initial task.
The skill creates persistent local machine authentication and reuses approvals for future provider requests; this is disclosed but durable.
Machine registration is automatic on first run (creates `~/.keychains/` with an Ed25519 SSH keypair) ... All future requests to that provider succeed instantly.
Know how to revoke provider approvals, rotate keys with `keychains machine rotate-keys`, and remove local Keychains state when no longer needed.