onurkerem/agent-secret
packages/cli/skills/agent-secret/SKILL.md
Secure secret management using the OS keychain. Use to: - Set/Inject secrets into .env files - Check configuration status without exposing values - List stored secrets or keys in .env files TRIGGER AUTOMATICALLY when the user: - Mentions adding, setting, or injecting secrets/keys/tokens into .env files - Mentions API keys for services (Stripe, OpenAI, AWS, Supabase, Firebase, etc.) - Asks to configure environment variables or .env files - Asks about secure secret storage - Mentions credentials, passwords, or tokens
development
Updated Apr 24, 2026
$ install --global
skillsauthnpx skillsauth add onurkerem/agent-secret agent-secretInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:34 PM0.5s1 file scanned
SKILL.md
- name:
- agent-secret
- description:
- |
Agent Secret - Secure Secret Management
This skill enables you to manage secrets securely using the OS keychain. Values are never exposed in terminal output.
Supported Files
Works with files containing .env in the name (e.g., .env, .env.local, .env.prod).
Core Concepts
1. Secret Name vs. File Key
Understanding this distinction is critical:
- Stored Secret: How it's saved in the keychain (e.g.,
PROJECTX_STRIPE_KEY) - File Key: How it appears in the .env file (e.g.,
STRIPE_KEY) - Mapping: Use
STORED_NAME:FILE_KEYto bridge them.agent-secret inject PROJECTX_STRIPE_KEY:STRIPE_KEY
2. Intelligent Secret Matching
CRITICAL: Be smart about matching user requests to stored secrets.
Prefix Handling:
Secret names often have project prefixes: TRAVELER_GOOGLE_MAPS_KEY.
When checking or injecting, usually remove the prefix for the file key: GOOGLE_MAPS_KEY.
Service Matching: Match user mentions to secret names (fuzzy):
| User says | Look for secrets containing |
|-----------|-----------------------------|
| "google", "maps" | GOOGLE_MAPS |
| "stripe" | STRIPE |
| "supabase" | SUPABASE |
| "aws" | AWS |
| "db", "database" | DATABASE, DB |
| "openai" | OPENAI |
Command Reference
Store & Manage
agent-secret set <NAME>: Prompts for secret value (hidden input).agent-secret list: Lists names of all stored secrets.agent-secret delete <NAME>: Removes a secret.
Check & Verify
agent-secret check <KEY> [-f file] [-q]: Verifies if a key exists in the file.-q(quiet): Returns exit code only (0=found, 1=missing). Useful for logic checks.
agent-secret check --list [-f file]: Lists all keys present in the target .env file.
Inject (Write)
agent-secret inject <SPEC>... [-f file]: Injects secrets into a file.- Simple:
inject API_KEY(Stored name == File key) - Mapped:
inject PROJECT_API_KEY:API_KEY(Stored name != File key) - Multiple:
inject KEY1 KEY2 PROJECT_KEY3:KEY3
- Simple:
Operating Workflows
1. Smart Discovery (User mentions service)
User: "Add google maps to .env"
- List first: Run
agent-secret listto see what's available. - Match: Find
TRAVELER_GOOGLE_MAPS_KEY. - Inject: Remove prefix and inject.
agent-secret inject TRAVELER_GOOGLE_MAPS_KEY:GOOGLE_MAPS_KEY -f .env
2. Checking Prerequisites
Before running commands that need secrets, verify they exist silently.
agent-secret check DATABASE_URL -q || echo "Missing DATABASE_URL"
3. Setting Up New Projects
- Store: Ask user to set secrets first.
agent-secret set PROJECT_API_KEY - Inject: Write to the project file.
agent-secret inject PROJECT_API_KEY:API_KEY -f .env
4. Missing Secrets
If a secret is missing (check fails):
- Inform user: "Secret
XYZis not stored." - Provide command: "Run
agent-secret set XYZ." - Wait for user action.
Rules of Engagement
- Never expose values: Do not read or print secret values.
- Always List First: Don't guess secret names; check
listoutput. - Use Mappings: Standardize .env keys by stripping project prefixes.
- Feedback: Report "Configured" or "Missing", not the content.
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026