aibtcdev/credentials
credentials/SKILL.md
Encrypted credential store — add, retrieve, list, and delete named secrets (API keys, tokens, passwords) stored AES-256-GCM encrypted at ~/.aibtc/credentials.json. Each write operation requires the master password; listing metadata does not.
$ install --global
skillsauthnpx skillsauth add aibtcdev/skills credentialsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 27, 2026, 5:03 AM118.4s5 files scanned
SKILL.md
- name:
- credentials
- description:
- Encrypted credential store — add, retrieve, list, and delete named secrets (API keys, tokens, passwords) stored AES-256-GCM encrypted at ~/.aibtc/credentials.json. Each write operation requires the master password; listing metadata does not.
- author:
- whoabuddy
- author-agent:
- Trustless Indra
- user-invocable:
- false
- arguments:
- add | get | list | delete | rotate-password
- entry:
- credentials/credentials.ts
- mcp-tools:
- credentials_list, credentials_get, credentials_set, credentials_delete, credentials_unlock
- tags:
- infrastructure, sensitive
Credentials Skill
Manages arbitrary named secrets — API keys, tokens, passwords, URLs — encrypted at rest using AES-256-GCM with per-credential PBKDF2 key derivation. Values are stored as encrypted blobs in ~/.aibtc/credentials.json; only identifiers, labels, categories, and timestamps are stored in plaintext. No wallet is required — the credential store uses its own master password independent of the wallet system.
Usage
bun run credentials/credentials.ts <subcommand> [options]
Subcommands
add
Add a new credential or update an existing one. The value is encrypted with AES-256-GCM using a key derived from the master password via PBKDF2 (100,000 iterations, per-credential salt).
bun run credentials/credentials.ts add --id <id> --value <value> --password <pass> [--label <text>] [--category <cat>]
Options:
--id(required) — Normalized credential identifier (e.g.hiro-api-key,openrouter-token)--value(required) — Plaintext secret value (sensitive — not stored)--password(required) — Master password for encryption (sensitive)--label(optional) — Human-readable label (default: same as id)--category(optional) — Category tag such asapi-key,token,url, orsecret(default:secret)
Output:
{
"success": true,
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
get
Decrypt and return a credential value. The plaintext value appears in the output — handle with care.
bun run credentials/credentials.ts get --id <id> --password <pass>
Options:
--id(required) — Credential identifier--password(required) — Master password for decryption (sensitive)
Output:
{
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"value": "hiro_api_key_xxxxxxxxxxxxxxxx",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
Tip: Extract the value in scripts with
$(bun run credentials/credentials.ts get --id hiro-api-key --password $CRED_PASS | jq -r .value)
list
List all credential identifiers and metadata. No decryption is performed and no secret values are returned.
bun run credentials/credentials.ts list
Output:
{
"count": 2,
"credentials": [
{
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
]
}
delete
Permanently delete a credential. Requires the master password (to verify ownership) and an explicit confirmation string.
bun run credentials/credentials.ts delete --id <id> --password <pass> --confirm DELETE
Options:
--id(required) — Credential identifier to delete--password(required) — Master password for verification (sensitive)--confirm(required) — Must be exactlyDELETE
Output:
{
"success": true,
"deleted": "hiro-api-key",
"message": "Credential \"hiro-api-key\" has been permanently deleted."
}
rotate-password
Change the master password by atomically re-encrypting all credentials. Decrypts every credential with the old password and re-encrypts with the new one. If any credential fails to decrypt, the operation is aborted before any changes are written.
bun run credentials/credentials.ts rotate-password --old-password <pass> --new-password <pass>
Options:
--old-password(required) — Current master password (sensitive)--new-password(required, min 8 chars) — New master password (sensitive)
Output:
{
"success": true,
"message": "Password rotated. 3 credentials re-encrypted.",
"count": 3
}
Security Notes
- Credentials are AES-256-GCM encrypted with a unique salt and IV per credential — a compromised credential does not weaken others
- PBKDF2-SHA256 with 100,000 iterations makes brute-force attacks expensive
- The master password is never written to disk — pass it via
--passwordflag or environment variable substitution ~/.aibtc/credentials.jsonis written with mode 0o600 (owner read/write only)- The credential store is independent of the wallet system — a separate master password is recommended
deleteandrotate-passwordverify the password by decrypting before mutating the store
Related Skills
aibtcdev/wot
development
VerifiedTrustedCommunity
Web of Trust operations for Nostr pubkeys — trust scoring, sybil detection, trust path analysis, neighbor discovery, follow recommendations, and network health. Free tier (wot.klabo.world, 50 req/day) with paid fallback (maximumsats.com, 100 sats via L402). Covers 52K+ pubkeys and 2.4M+ zap-weighted trust edges. Use --key-source to select nip06 (default), taproot, or stacks derivation path.
6SKILL.mdUpdated May 27, 2026
aibtcdev/ordinals-marketplace
data-ai
VerifiedTrustedCommunity
BTC ordinals marketplace operations via Magic Eden — browse active listings, list inscriptions for sale via PSBT flow, submit signed listings, buy inscriptions, and cancel active listings. BTC ordinals only (not Solana). Mainnet-only.
6SKILL.mdUpdated May 27, 2026
aibtcdev/lunarcrush
testing
VerifiedTrustedCommunity
Pay-per-call access to LunarCrush social and market intelligence (Galaxy Score, AltRank, market cap rank, price, 24h change) via x402 on Stacks. USD-pegged pricing recomputed hourly from live STX/USD. Mainnet endpoint live; testnet supported.
6SKILL.mdUpdated May 27, 2026
aibtcdev/hodlmm-inventory-balancer
devops
VerifiedTrustedCommunity
Detects HODLMM LP inventory drift (token-ratio imbalance from one-sided swap flow) and restores the target ratio via a corrective Bitflow swap plus a hodlmm-move-liquidity redeploy, gated by the 4h per-pool cooldown.
6SKILL.mdUpdated May 27, 2026