OpenClaw Key Management Skill 🔐

A comprehensive security key management system that protects your AI assistant's credentials even if memory files are compromised.

When to Use

- Before storing any API keys, passwords, or tokens in your OpenClaw memory files
When you need to secure existing credentials already stored in MEMORY.md or daily logs
For any OpenClaw deployment that handles sensitive authentication data
When sharing your workspace with others or backing up to cloud storage

Core Features

🔒 Strong Encryption

- AES-256-GCM authenticated encryption
PBKDF2-HMAC-SHA256 key derivation (100,000 iterations)
Per-credential random salts and initialization vectors
Tamper detection with authentication tags

🧠 Memory Safety

- Credentials exist in memory for only 30 seconds during active use
Automatic secure zeroing of plaintext credentials
Memory locking to prevent swapping to disk
Runtime credential cache with automatic cleanup

📁 Separation of Concerns

- Credentials never stored in MEMORY.md or daily log files
Dedicated encrypted vault in INLINECODE1
Automatic detection and blocking of credential logging attempts
Secure references like {SECRET:api_key_name} in memory files

⚙️ Dual Security Modes

- Convenience Mode: System key derived from machine ID + hostname (automatic decryption)
High-Security Mode: User passphrase required at each session start
Configurable via INLINECODE3

🛠️ Easy Management

- CLI tool for adding, retrieving, and managing credentials
Automatic backup system with versioned encrypted backups
Migration tool to extract existing credentials from memory files
Integration with OpenClaw's existing memory architecture

Installation

Prerequisites

- OpenClaw 2026.3.13 or later
Node.js 18+ (for encryption module)
Standard Unix-like system (Linux/macOS)

Setup Steps

CODEBLOCK0

Usage

Adding Credentials

CODEBLOCK1

Retrieving Credentials

CODEBLOCK2

Integration with OpenClaw

In your OpenClaw workflows, reference credentials using the secure placeholder format: CODEBLOCK3

The system automatically intercepts these references and provides the decrypted value at runtime.

Security Architecture

File Structure

CODEBLOCK4

Threat Model & Mitigations

Threat	Impact	Mitigation
Memory file compromise	High	Credentials never stored in plaintext
Runtime memory dump

Configuration Options

`config/key_management.json`

CODEBLOCK5

Migration Guide

From Existing OpenClaw Deployments

1. Backup your current workspace
Install this skill following the installation steps
Run migration tool: INLINECODE5
Verify: Check that MEMORY.md now contains {SECRET:name} references
Test: Ensure your workflows still function correctly

Manual Migration

If automatic migration fails, manually:

1. Extract credentials from your memory files
Add them using: INLINECODE8
Replace plaintext values in memory files with INLINECODE9

Best Practices

✅ Do

- Always use this skill for any sensitive credentials
Regularly backup your encrypted vault
Use high-security mode for production deployments
Review and update your configuration periodically

❌ Don't

- Store plaintext credentials in memory files
Share your .secrets/ directory without encryption
Disable memory safety features without understanding risks
Use weak system configurations (outdated Node.js, etc.)

API Reference

Node.js Module

CODEBLOCK6

CLI Commands

- init - Initialize key vault
INLINECODE12 - Add new secret
INLINECODE13 - Get secret value
INLINECODE14 - List all secrets
INLINECODE15 - Create backup
INLINECODE16 - Migrate existing credentials

Troubleshooting

Common Issues

- "No vault file found": Run init command first
Decryption failures: Verify system hasn't changed (machine ID, hostname)
Permission errors: Ensure proper file permissions on .secrets/ directory
Memory issues: Increase Node.js memory limit if handling many credentials

Recovery Procedures

- Lost master key (convenience mode): Restore from backup or re-migrate credentials
Forgotten passphrase (high-security mode): No recovery possible (by design)
Corrupted vault: Restore from latest backup in INLINECODE19

Contributing

This skill follows OpenClaw AgentSkills specification. Contributions welcome:

- Security improvements
Additional encryption algorithms
Better integration with OpenClaw core
Documentation enhancements

License

MIT License - Free to use, modify, and distribute.

Remember: Security is a process, not a product. This skill provides strong protection, but always follow security best practices in your overall OpenClaw deployment.

OpenClaw 密钥管理技能 🔐

一个全面的安全密钥管理系统，即使内存文件被泄露，也能保护您的AI助手的凭证。

使用时机

- 在将任何API密钥、密码或令牌存储到OpenClaw内存文件之前
当您需要保护已存储在MEMORY.md或日常日志中的现有凭证时
适用于任何处理敏感认证数据的OpenClaw部署
当您与他人共享工作空间或备份到云存储时

核心功能

🔒 强加密

- AES-256-GCM 认证加密
PBKDF2-HMAC-SHA256 密钥派生（100,000次迭代）
每个凭证使用随机盐值和初始化向量
带认证标签的防篡改检测

🧠 内存安全

- 凭证在活动使用期间仅在内存中存在 30秒
自动安全清零明文凭证
内存锁定以防止交换到磁盘
带自动清理的运行时凭证缓存

📁 关注点分离

- 凭证从不存储在MEMORY.md或日常日志文件中
专用加密保险库位于.secrets/vault.json.enc
自动检测并阻止凭证记录尝试
内存文件中使用类似{SECRET:apikeyname}的安全引用

⚙️ 双安全模式

- 便捷模式：从机器ID+主机名派生的系统密钥（自动解密）
高安全模式：每次会话启动时需要用户口令
可通过config/key_management.json配置

🛠️ 便捷管理

- 用于添加、检索和管理凭证的CLI工具
带版本化加密备份的自动备份系统
从内存文件中提取现有凭证的迁移工具
与OpenClaw现有内存架构集成

安装

前提条件

- OpenClaw 2026.3.13或更高版本
Node.js 18+（用于加密模块）
标准类Unix系统（Linux/macOS）

设置步骤

bash

1. 将此技能克隆或复制到您的技能目录

cp -r openclaw-key-management-skill ~/.openclaw/your-workspace/skills/

2. 初始化密钥保险库

cd ~/.openclaw/your-workspace ./skills/openclaw-key-management/scripts/key_manager.sh init

3. 配置安全模式（可选）

编辑 skills/openclaw-key-management/config/key_management.json

将 masterkeymode 设置为 system_key（默认）或 passphrase

4. 迁移现有凭证（如有）

./skills/openclaw-key-management/scripts/key_manager.sh migrate

使用方法

添加凭证

bash

添加新凭证

./skills/openclaw-key-management/scripts/keymanager.sh add myapi_key

添加带元数据的凭证

./skills/openclaw-key-management/scripts/keymanager.sh add instreetapi_key

检索凭证

bash

获取凭证值（自动解密）

./skills/openclaw-key-management/scripts/keymanager.sh get myapi_key

列出所有存储的凭证

./skills/openclaw-key-management/scripts/key_manager.sh list

与OpenClaw集成

在您的OpenClaw工作流中，使用安全占位符格式引用凭证： markdown

外部服务

- API密钥：{SECRET:myapikey}

系统会自动拦截这些引用，并在运行时提供解密后的值。

安全架构

文件结构

workspace/
├── .secrets/ # 加密的秘密目录
│ ├── master.key # 加密的主密钥
│ ├── vault.json.enc # 主加密凭证保险库
│ ├── backup/ # 版本化加密备份
│ └── temp/ # 临时运行时文件
├── skills/openclaw-key-management/
│ ├── scripts/key_vault.js # Node.js加密模块
│ ├── scripts/key_manager.sh # CLI管理工具
│ └── config/key_management.json # 配置模板
└── MEMORY.md # 仅安全引用：{SECRET:name}

威胁模型与缓解措施

威胁	影响	缓解措施
内存文件泄露	高	凭证从不以明文存储
运行时内存转储

配置选项

config/key_management.json

json { version: 1.0, masterkeymode: systemkey, // systemkey 或 passphrase encryption: { algorithm: aes-256-gcm, pbkdf2_iterations: 100000, salt_length: 16, iv_length: 12 }, runtime: { credentialtimeoutseconds: 30, enablememorylocking: true, autocleanupon_exit: true }, backup: { enabled: true, max_backups: 10, backupintervalhours: 24 } }

迁移指南

从现有OpenClaw部署迁移

1. 备份当前工作空间
按照安装步骤安装此技能
运行迁移工具：./scripts/key_manager.sh migrate
验证：检查MEMORY.md现在是否包含{SECRET:name}引用
测试：确保您的工作流仍然正常运行

手动迁移

如果自动迁移失败，请手动操作：

1. 从内存文件中提取凭证
使用以下命令添加：./scripts/keymanager.sh add credentialname
将内存文件中的明文值替换为{SECRET:credential_name}

最佳实践

✅ 应该做

- 始终对任何敏感凭证使用此技能
定期备份加密保险库
生产部署使用高安全模式
定期审查和更新配置

❌ 不应该做

- 在内存文件中存储明文凭证
未加密共享您的.secrets/目录
在不了解风险的情况下禁用内存安全功能
使用弱系统配置（过时的Node.js等）

API参考

Node.js模块

javascript const SecureKeyVault = require(./skills/openclaw-key-management/scripts/key_vault.js); const vault = new SecureKeyVault(/path/to/workspace);

await vault.initialize();
await vault.setSecret(api_key, your-secret-value);
const secret = await vault.getSecret(api_key);

CLI命令

- init - 初始化密钥保险库
add NAME - 添加新密钥
get NAME - 获取密钥值
list - 列出所有密钥
backup - 创建备份
migrate - 迁移现有凭证

故障排除

常见问题

- 未找到保险库文件：先运行init命令
解密失败：验证系统未发生变化（机器ID、主机名）
权限错误：确保.secrets/目录具有正确的文件权限
内存问题：如果处理大量凭证，增加Node.js内存限制

恢复流程

- 主密钥丢失（便捷模式）：从备份恢复或重新迁移凭证
忘记口令（高安全模式）：无法恢复（设计如此）
保险库损坏：从.secrets/backup/中的最新备份恢复

贡献

此技能遵循OpenClaw AgentSkills规范。欢迎贡献：

- 安全改进
额外的加密算法
与OpenClaw核心更好的集成
文档增强

许可证

MIT许可证 - 可自由使用、修改和分发。

请记住：安全是一个过程，而非产品。此技能提供强大的保护，但始终要在您的整体OpenClaw部署中遵循安全最佳实践。

openclaw-key-management密钥管理系统