secrets-manager

KeyVault — Secrets Manager for AI Agents

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secrets-manager" with this command: npx skills add ylz201/keyvault/ylz201-keyvault-secrets-manager

KeyVault — Secrets Manager for AI Agents

When you (an AI agent) need to handle API keys, tokens, or other sensitive credentials in any project, you MUST use KeyVault.

Installation

Install from GitHub

pip install git+https://github.com/ylz201/keyvault.git

Or with MCP Server support

pip install "keyvault-ai[mcp] @ git+https://github.com/ylz201/keyvault.git"

Verify installation:

keyvault info

⛔ Rules

  • ❌ NEVER create .env files to store secrets

  • ❌ NEVER hardcode API keys in source code

  • ❌ NEVER commit secrets to git

  • ✅ ALWAYS use keyvault CLI or SDK to manage keys

CLI Commands

keyvault set KEY VALUE # Save a secret (global) keyvault set KEY VALUE --project NAME # Save per-project override keyvault get KEY # Get (masked) keyvault get KEY --unmask # Get (full value) keyvault list --all # List all secrets keyvault delete KEY # Delete a secret keyvault import .env # Bulk import from .env file keyvault export > .env # Export as .env format keyvault inject -- python script.py # Run command with all secrets as env vars

Python SDK

from keyvault import get_secret, set_secret

Get a secret (auto-fallback to os.environ if vault not found)

api_key = get_secret("OPENAI_API_KEY")

Or just use standard env vars (works when launched via keyvault inject)

import os api_key = os.environ.get("OPENAI_API_KEY")

MCP Server Setup

To enable AI agents (Claude, Gemini, etc.) to manage secrets via MCP protocol:

  1. Start the MCP server manually

python -m keyvault.mcp_server

  1. Configure in Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json :

{ "mcpServers": { "keyvault": { "command": "python", "args": ["-m", "keyvault.mcp_server"] } } }

  1. Available MCP Tools

Tool Description

secrets_list

List all stored key names (values hidden)

secrets_get

Retrieve a specific secret value

secrets_set

Store a new secret

secrets_delete

Remove a secret

When a Script Needs a Missing Key

If you discover a script requires an API key that hasn't been configured, prompt the user:

"This operation requires DEEPSEEK_API_KEY . Please run:

keyvault set DEEPSEEK_API_KEY <your-key>

Then re-run the task."

Security

Component Detail

Encryption Fernet (AES-128-CBC + HMAC-SHA256)

Master Key ~/.keyvault/master.key (chmod 600)

Database ~/.keyvault/vault.db (encrypted values)

Scopes global (default) / project:<name> (override)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

keyvault-skill

No summary provided by upstream source.

Repository SourceNeeds Review
-4
ylz201
Automation

secrets-manager

No summary provided by upstream source.

Repository SourceNeeds Review
-36
itsmostafa
Automation

clinic-visit-prep

帮助患者整理就诊前问题、既往记录、检查清单与时间线,不提供诊断。;use for healthcare, intake, prep workflows;do not use for 给诊断结论, 替代医生意见.

Archived SourceRecently Updated
--
52yuanchangxing