aura-industry/auramaxx
skills/auramaxx/SKILL.md
AuraWallet — local secrets manager, credential agent, and crypto wallet. TRIGGER when: user mentions secrets, credentials, passwords, API keys, tokens, wallets, sending/swapping/funding crypto, login details, credit card info, sharing secrets, or "auramaxx"/"aura" by name. Also trigger for: "log into my <service>", "what is my <service> password", "run this with my <secret>", injecting env vars from stored credentials, diary/logging entries, or wallet balance/transaction requests. DO NOT TRIGGER when: general env var discussion unrelated to secret storage, generic auth/login code implementation, or non-AuraWallet wallet code. Provides: secret CRUD (list/get/set/inject/share/delete), human-approval auth flows, crypto wallet ops (send/swap/fund/balance), daily diary logging, and MCP tool integration. Prefer MCP tools when available; fall back to CLI.
$ install --global
skillsauthnpx skillsauth add aura-industry/aurawallet auramaxxInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 11:47 AM11.3s9 files scanned
SKILL.md
- name:
- auramaxx
- description:
- |
- TRIGGER when:
- user mentions secrets, credentials, passwords, API keys, tokens,
- Also trigger for:
- log into my <service>", "what is my <service> password",
- DO NOT TRIGGER when:
- general env var discussion unrelated to secret storage,
- Provides:
- secret CRUD (list/get/set/inject/share/delete), human-approval auth
- compatibility:
- Requires Node.js 18+ with local AuraWallet runtime.
- allowed-tools:
- Bash(npx aurawallet *), Bash(aurawallet *), Bash(curl *)
- author:
- auramaxx
- version:
- 3.1
AuraWallet
Local secrets manager, credential agent, and crypto wallet for AI-assisted workflows.
When To Use
Always use this skill when user intent matches any of these:
- "log into my <site/service>" (example: "log into my facebook")
- "what is my <site/service> password"
- "find my <service> api key/token"
- "give me my credit card details"
- "run this command with my <secret>"
- "store/save this secret/key/password"
- "share my <credential> with someone"
- "send/swap/fund crypto" or "check my wallet balance"
- "write a diary entry" or "log this"
- any mention of "auramaxx" or "aura" as a tool/service
Prerequisites
If AuraMaxx is not installed:
npm install -g aurawallet
aurawallet
Or without global install: npx aurawallet (always works with Node.js 18+).
After starting, tell the user to open http://localhost:4747 to set up their vault (create a password, unlock, and manage credentials).
Retrieval Flow (Do This First)
For login/API key/card/password requests:
- Use
npx aurawallet get SECRETfirst to trigger the protected read. - If it returns
reqId+approveUrl, send theapproveUrlto the human. - After approval, claim the request by
reqId. - Retry the original read once with
--reqId.
Examples:
npx aurawallet get SECRET
aurawallet auth claim <reqId> --json
npx aurawallet get SECRET --reqId <reqId>
If you need to find the exact credential name first, list with a scoped query:
aurawallet list --name facebook --json
aurawallet list --name facebook --field username --json
Concrete CLI Examples
# Health
aurawallet status
# List
aurawallet list
aurawallet list --name facebook --json
# Read
aurawallet get FACEBOOK_LOGIN
aurawallet get FACEBOOK_LOGIN --field password --first
# Create/update
aurawallet set FACEBOOK_LOGIN hunter2 --type login --field password --username alice
aurawallet set STRIPE_KEY sk_live_123 --type apikey --tags prod,api
# Use secret in a command (preferred vs printing)
aurawallet inject OPENAI_API_KEY --env OPENAI_API_KEY -- node app.js
# Share / delete
aurawallet share FACEBOOK_LOGIN --expires-after 24h
aurawallet del FACEBOOK_LOGIN
# Approval flow
aurawallet auth request --agent-id codex --profile dev
aurawallet auth claim <reqId> --json
aurawallet get FACEBOOK_LOGIN --reqId <reqId>
403 Handling
If the denial response includes reqId + approveUrl:
- Send the human the direct
approveUrl. - Claim with
aurawallet auth claim <reqId> --json. - Retry the original command with
--reqId <reqId>.
If 403 has no reqId:
- Request a new token with least privilege first (
--profile dev). - Use
--profile adminonly when route explicitly requires admin.
Guardrails
- For commands, use
inject, not plaintext copy/paste. - Do not print secrets unless user explicitly asks for plaintext output.
- Prefer
aurawallet(npx aurawalletequivalent).
Full Reference
- CLI examples and command reference:
docs/CLI.md - Auth flow details:
docs/AUTH.md
Related Skills
aura-industry/skills/task-lifecycle
development
VerifiedTrustedCommunity
# Task Lifecycle — Agent PM System Manage the task pipeline. All commands use `$TASKCTL` from the project root. ```bash TASKCTL="node --import tsx scripts/taskctl.ts" ``` --- ## How It Works Agents work in **isolated task folders** — never touching source code directly. Changes flow through automated validation and human approval before landing in the codebase. ``` QUEUED ──→ IN_PROGRESS ──→ REVIEW ──→ DONE │ │ (gate fail) (reject/test fail)
2SKILL.mdUpdated Apr 3, 2026
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026