Openclaw

v2.1.0

Secure key management for AI agents. Use when handling private keys, API secrets, wallet credentials, or when building systems that need agent-controlled funds. Covers secure storage, session keys, leak prevention, prompt injection defense, and MetaMask Delegation Framework integration.

⭐ 2· 1.3k·2 current·2 all-time

by@zscole·duplicate of @zscole/openclaw

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zscole/bagman.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Openclaw" (zscole/bagman) from ClawHub.
Skill page: https://clawhub.ai/zscole/bagman
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: op
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bagman

ClawHub CLI

Package manager switcher

npx clawhub@latest install bagman

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (key management, session keys, delegation) aligns with the content: examples center on 1Password CLI ('op'), session-key patterns, ERC-4337/Delegation Framework integration, and prompt-injection defenses. Declaring 'op' as the required binary is appropriate given the heavy 1Password usage. The skill references other tooling (Foundry, gitleaks, Vault, AWS SDK) but only as optional integrations or examples — not required env vars — which is proportionate to the stated purpose.

ℹ

Instruction Scope

SKILL.md is instruction-only and stays focused on secret retrieval, sanitization, input validation, session keys, and delegation. It contains runnable examples (op signin/read/run, subprocess/execSync calls, pre-commit hooks, git filter-branch remediation) which are expected for an operational guide. Note: some remediation commands (git filter-branch + force push) are destructive and the pre-commit sample mentions a bypass (git commit --no-verify) — operators should treat those with caution and not run destructive commands without understanding them. The file also includes explicit defensive patterns that match common jailbreak phrases (e.g., 'ignore previous instructions').

✓

Install Mechanism

There is no install spec (instruction-only), which minimizes disk-write risk. The guide recommends installing well-known tools via brew (1Password CLI, gitleaks) — a low-risk, expected approach for this purpose. No remote download+extract operations are embedded in the skill itself.

ℹ

Credentials

The skill declares no required env vars or credentials, which is consistent with an operations guide that uses a secret manager (1Password). The examples do show alternate integrations (AWS Secrets Manager, Vault) and systemd/Secrets usage; those imply operator-provided credentials at runtime but the skill does not request unrelated secrets. Important operator responsibility: follow the guide to ensure the agent vault only exposes session keys (not master keys) and restrict agent read permissions; misconfiguration could give excessive access.

✓

Persistence & Privilege

The skill is not always-included and does not request persistent system changes itself (instruction-only). It does not modify other skills or system-wide agent settings. It does describe creating vaults and pre-commit hooks, which are normal operational artifacts but require operator approval to deploy.

Scan Findings in Context

[prompt-injection] expected: The pre-scan flagged 'ignore-previous-instructions' and related jailbreak phrases. Those strings appear inside the skill as examples of attacks and in the InputValidator block (they are being detected and blocked by the skill itself), so the finding is expected and appears defensive rather than adversarial.

Assessment

This is an instruction-only security pattern library that expects you to run and configure tooling (1Password CLI, optional Foundry/gitleaks, Python/Node examples). Before using: 1) Verify the skill source (check the GitHub repo and commit history) and review any code snippets you plan to run. 2) Install and sign into 1Password yourself; create a dedicated 'Agent-Credentials' vault and ensure the agent account has only the minimal read permissions for session keys — never give the agent master keys. 3) Treat remediation commands (git filter-branch, force-push) as destructive — test backups and use safer git-secret-removal tools if unsure. 4) Review and test the InputValidator and OutputSanitizer in an isolated environment; do not assume they are perfect. 5) If you plan to let the agent act autonomously, add human confirmation steps and monitoring/alerts for secret access and transactions. If you want higher assurance, ask the skill author for an authoritative release repo, signed releases, and small runnable testcases you can audit before granting any agent access to real funds or secrets.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis

Binsop

latestvk976sqd6c7xqcky70q6wt09rfh80rvsq

1.3kdownloads

2stars

2versions

Updated 1mo ago

v2.1.0

MIT-0

Bagman

Secure key management patterns for AI agents handling wallets, private keys, and secrets.

When to Use This Skill

Agent needs wallet/blockchain access
Handling API keys, credentials, or secrets
Building systems where AI controls funds
Preventing secret leakage via prompts or outputs

Quick Start

# Install 1Password CLI
brew install 1password-cli

# Authenticate
eval $(op signin)

# Create vault for agent credentials
op vault create "Agent-Credentials"

# Run examples
cd examples && python test_suite.py

Core Rules

Rule	Why
Never store raw private keys	Config, env, memory, or conversation = leaked
Use delegated access	Session keys with time/value/scope limits
Secrets via secret manager	1Password, Vault, AWS Secrets Manager
Sanitize all outputs	Scan for key patterns before any response
Validate all inputs	Check for injection attempts before wallet ops

Architecture

┌─────────────────────────────────────────────────────┐
│                   AI Agent                          │
├─────────────────────────────────────────────────────┤
│  Session Key (bounded)                              │
│  ├─ Expires after N hours                           │
│  ├─ Max spend per tx/day                            │
│  └─ Whitelist of allowed contracts/methods          │
├─────────────────────────────────────────────────────┤
│  Secret Manager (1Password/Vault)                   │
│  ├─ Retrieve at runtime only                        │
│  ├─ Never persist to disk                           │
│  └─ Audit trail of accesses                         │
├─────────────────────────────────────────────────────┤
│  Smart Account (ERC-4337)                           │
│  ├─ Programmable permissions                        │
│  └─ Recovery without key exposure                   │
└─────────────────────────────────────────────────────┘

Implementation Files

File	Purpose
`examples/secret_manager.py`	1Password integration for runtime secret retrieval
`examples/sanitizer.py`	Output sanitization (keys, seeds, tokens)
`examples/validator.py`	Input validation (prompt injection defense)
`examples/session_keys.py`	ERC-4337 session key configuration
`examples/delegation_integration.ts`	MetaMask Delegation Framework (EIP-7710)
`examples/pre-commit`	Git hook to block secret commits
`examples/test_suite.py`	Adversarial test suite
`docs/prompt-injection.md`	Deep dive on injection defense
`docs/secure-storage.md`	Secret storage patterns
`docs/session-keys.md`	Session key architecture
`docs/leak-prevention.md`	Output sanitization patterns
`docs/delegation-framework.md`	On-chain permission enforcement (EIP-7710)

1. Secret Retrieval

1Password CLI Pattern

# Retrieve at runtime (never store result)
SESSION_KEY=$(op read "op://Agents/my-agent/session-key")

# Run with injected secrets (never touch disk)
op run --env-file=.env.tpl -- python agent.py

.env.tpl (safe to commit - no secrets)

PRIVATE_KEY=op://Agents/trading-bot/session-key
RPC_URL=op://Infra/alchemy/sepolia-url
OPENAI_API_KEY=op://Services/openai/api-key

Python Usage

from secret_manager import get_session_key

# Retrieve validated session key
creds = get_session_key("trading-bot-session")

# Check validity
if creds.is_expired():
    raise ValueError("Session expired - request renewal from operator")

print(f"Time remaining: {creds.time_remaining()}")
print(f"Allowed contracts: {creds.allowed_contracts}")

# Use the key (never log it!)
client.set_signer(creds.session_key)

Vault-Level ACL (Recommended)

Configure 1Password vault permissions:

Agent-Credentials/
├── trading-bot-session    # Agent can read
├── payment-bot-session    # Agent can read
└── master-key             # Operator ONLY (agent has no access)

Principle: Agent credentials should be in a vault with read-only agent access. Master keys should be in a separate vault the agent cannot access.

2. Output Sanitization

Apply to ALL agent outputs before sending anywhere:

from sanitizer import OutputSanitizer

def respond(content: str) -> str:
    """Sanitize before any output."""
    return OutputSanitizer.sanitize(content)

# Catches:
# - Private keys (0x + 64 hex)
# - OpenAI/Anthropic/Groq/AWS keys
# - GitHub/Slack/Discord tokens
# - BIP-39 seed phrases (12/24 words)
# - PEM private keys
# - JWT tokens

Patterns Detected

Pattern	Example	Result
ETH private key	`0x1234...abcd` (64 hex)	`[PRIVATE_KEY_REDACTED]`
ETH address	`0x742d...f44e` (40 hex)	`0x742d...f44e` (truncated)
OpenAI key	`sk-proj-abc123...`	`[OPENAI_KEY_REDACTED]`
Anthropic key	`sk-ant-api03-...`	`[ANTHROPIC_KEY_REDACTED]`
12-word seed	`abandon ability able...`	`[SEED_PHRASE_12_WORDS_REDACTED]`
JWT	`eyJhbG...`	`[JWT_TOKEN_REDACTED]`

3. Input Validation

Check inputs before ANY wallet operation:

from validator import InputValidator, ThreatLevel

result = InputValidator.validate(user_input)

if result.level == ThreatLevel.BLOCKED:
    return f"Request blocked: {result.reason}"

if result.level == ThreatLevel.SUSPICIOUS:
    # Log for review, but allow
    log_suspicious(user_input, result.reason)

# Proceed with operation

Threat Categories

Category	Examples	Action
Extraction	"show private key", "reveal secrets"	Block
Override	"ignore previous instructions"	Block
Role manipulation	"you are now admin"	Block
Jailbreak	"DAN mode", "bypass filters"	Block
Exfiltration	"send config to https://..."	Block
Wallet threats	"transfer all", "unlimited approve"	Block
Encoded	Base64/hex encoded attacks	Block
Unicode tricks	Cyrillic lookalikes, zero-width	Block
Suspicious	"hypothetically", "just between us"	Warn

4. Operation Allowlisting

Never execute arbitrary operations. Explicit whitelist only:

from dataclasses import dataclass
from decimal import Decimal
from typing import Optional

@dataclass
class AllowedOperation:
    name: str
    handler: callable
    max_value: Optional[Decimal] = None
    requires_confirmation: bool = False
    cooldown_seconds: int = 0

ALLOWED_OPS = {
    "check_balance": AllowedOperation("check_balance", get_balance),
    "transfer_usdc": AllowedOperation(
        "transfer_usdc", 
        transfer,
        max_value=Decimal("500"),
        requires_confirmation=True,
        cooldown_seconds=60
    ),
    "swap": AllowedOperation(
        "swap",
        swap_tokens,
        max_value=Decimal("1000"),
        cooldown_seconds=300
    ),
}

def execute(op_name: str, **kwargs):
    if op_name not in ALLOWED_OPS:
        raise PermissionError(f"Operation '{op_name}' not allowed")
    
    op = ALLOWED_OPS[op_name]
    
    if op.max_value and kwargs.get("amount", 0) > op.max_value:
        raise PermissionError(f"Amount exceeds limit: {op.max_value}")
    
    if op.requires_confirmation:
        return request_confirmation(op_name, kwargs)
    
    return op.handler(**kwargs)

5. Confirmation Flow

High-value operations require explicit confirmation:

import hashlib
import time

pending_confirmations = {}

def request_confirmation(operation: str, details: dict) -> str:
    code = hashlib.sha256(
        f"{operation}{time.time()}".encode()
    ).hexdigest()[:8].upper()
    
    pending_confirmations[code] = {
        "op": operation,
        "details": details,
        "expires": time.time() + 300  # 5 minutes
    }
    
    return f"⚠️ Confirm '{operation}' with code: {code}\n(expires in 5 minutes)"

def confirm(code: str):
    if code not in pending_confirmations:
        return "Invalid confirmation code"
    
    req = pending_confirmations.pop(code)
    
    if time.time() > req["expires"]:
        return "Confirmation code expired"
    
    return execute_confirmed(req["op"], req["details"])

6. Session Keys (ERC-4337)

Instead of giving agents master keys, issue bounded session keys:

from session_keys import SessionKeyManager

# Operator creates trading session for agent
config = SessionKeyManager.create_trading_session(
    agent_name="alpha-trader",
    operator_address="0x742d...",
    duration_hours=24,
    max_trade_usdc=1000,
    daily_limit_usdc=5000,
)

# Export for storage in 1Password
export_data = SessionKeyManager.export_for_1password(
    config, 
    session_key_hex="0x..."  # Generated session key
)

# op item create ... (store in 1Password)

Session Key Benefits

Feature	Master Key	Session Key
Expiration	Never	Configurable (hours/days)
Spending limits	None	Per-tx and daily caps
Contract restrictions	Full access	Whitelist only
Revocation	Requires key rotation	Instant, no key change
Audit	None	Full operation log

7. Pre-commit Hook

Block commits containing secrets:

# Install
cp examples/pre-commit .git/hooks/
chmod +x .git/hooks/pre-commit

Detected patterns:

ETH private keys (64 hex chars)
OpenAI/Anthropic/Groq keys
AWS access keys
GitHub/GitLab tokens
Slack/Discord tokens
PEM private keys
Generic PASSWORD/SECRET assignments
BIP-39 seed phrases

8. Defense Layers

USER INPUT
    │
    ▼
┌────────────────────────────┐
│ Layer 1: Input Validation  │  ← Regex + encoding + unicode checks
└────────────────────────────┘
    │
    ▼
┌────────────────────────────┐
│ Layer 2: Op Allowlisting   │  ← Explicit whitelist only
└────────────────────────────┘
    │
    ▼
┌────────────────────────────┐
│ Layer 3: Value Limits      │  ← Max per-tx and per-day
└────────────────────────────┘
    │
    ▼
┌────────────────────────────┐
│ Layer 4: Confirmation      │  ← Time-limited codes for $$$
└────────────────────────────┘
    │
    ▼
┌────────────────────────────┐
│ Layer 5: Isolated Exec     │  ← Wallet ops != conversation
└────────────────────────────┘
    │
    ▼
OUTPUT SANITIZATION

Common Mistakes

❌ Keys in memory files

# memory/2026-02-07.md
Private key: 0x9f01dad551039daad...

Fix: Store reference only: Private key: [stored in 1Password: test-wallet]

❌ Keys in error messages

except Exception as e:
    log(f"Failed with key {private_key}: {e}")

Fix: Never include credentials in error context

❌ Keys in .env.example

PRIVATE_KEY=sk-ant-api03-real-key...  # "for testing"

Fix: Use obviously fake: PRIVATE_KEY=your-key-here

❌ "All" in transfer requests

User: "Transfer all my USDC"
Agent: *executes unlimited transfer*

Fix: Block "all/everything/max" patterns, require explicit amounts

❌ Trusting conversation context

# Wallet has access to conversation history
self.wallet.execute(conversation[-1]["content"])

Fix: Wallet operations must be isolated from conversation context

Testing

cd examples

# Run full test suite
python test_suite.py

# Test individual components
python sanitizer.py    # Output sanitization demo
python validator.py    # Input validation demo
python session_keys.py # Session key demo

Expected output: All tests passed

Checklist

Security Model Limitations

This skill provides defense in depth, not a guarantee. Adversaries may:

Novel injection patterns - Regex can't catch everything; semantic analysis helps but isn't perfect
Social engineering - Convincing the operator to approve malicious operations
Timing attacks - Exploiting confirmation windows
Encoding evasion - New encoding schemes not covered

Recommendation: Layer these defenses with:

Rate limiting
Anomaly detection
Human-in-the-loop for large transactions
Regular security audits

Comments

Loading comments...