armorclaw

AES-256 encrypted secrets manager for OpenClaw agents. Store API keys, tokens, and credentials in a secure local vault instead of plain-text .env files. Features master password with machine/IP binding, one-command .env migration, cross-skill secret sharing, and per-skill access logging. Use when: securing API keys, migrating from .env files, or auditing which skills access which credentials.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "armorclaw" with this command: npx skills add supertechgod/armorclaw

ArmorClaw — Encrypted Secrets Manager for OpenClaw

Stop storing API keys in plain-text .env files. ArmorClaw encrypts everything with AES-256 and unlocks only on your machine.

Install

npx clawhub@latest install armorclaw
pip install ./skills/armorclaw

Quick Start

# Initialize vault
armorclaw init

# Store your first key
armorclaw set OPENAI_KEY

# Or import your whole .env at once
armorclaw import ~/.openclaw/openclaw.env

# List stored secrets
armorclaw list

Use in OpenClaw Agent

from armorclaw.openclaw import inject_vault_env

# Inject all vault secrets into environment at startup
inject_vault_env(password="your-master-password")

# Or use ARMORCLAW_PASSWORD env var for bot auto-unlock
# export ARMORCLAW_PASSWORD="your-master-password"
# inject_vault_env()

Cross-Skill Sharing

One key, all your skills:

from armorclaw.openclaw import get_vault_key

# Any skill can pull keys from the vault
api_key = get_vault_key("OPENAI_KEY", skill="senticlaw")

CLI Reference

armorclaw init              Initialize vault + set master password
armorclaw set KEY [value]   Store a secret
armorclaw get KEY           Retrieve a secret
armorclaw list              List all stored keys (no values shown)
armorclaw delete KEY        Delete a secret
armorclaw import [path]     Import .env file into vault
armorclaw log [KEY]         View access log
armorclaw report            Skill usage report

Lock Modes

ModeSecurityDescription
passwordMediumType master password each time
machineGoodLocked to registered machine (MAC address)
static-ipGoodLocked to your static external IP only
machine+static-ipStrongestMachine AND static external IP must match
botConvenientBot auto-unlocks using stored password

⚠️ IP restriction requires a STATIC external IP. Dynamic/rotating IPs (most home internet) will lock you out when your IP changes. ArmorClaw will warn you and confirm before registering.

Security

  • AES-256-CBC encryption with PBKDF2-HMAC-SHA256 key derivation (600k iterations)
  • HMAC integrity — detects tampering
  • Machine binding — vault won't open on another machine
  • IP restriction — vault won't open from a different network
  • Zero plaintext storage — keys never written unencrypted anywhere
  • Access audit log — every read/write tracked with skill name + timestamp

Built by PHRAIMWORK LLC · MIT License Part of the PHRAIMWORK Security Suite: SentiClaw + ArmorClaw

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Privacy Mask

Mask, redact, anonymize and censor sensitive information (PII) in screenshots and images — phone numbers, emails, IDs, API keys, crypto wallets, credit cards...

Registry SourceRecently Updated
4341Profile unavailable
Security

Deepsafe Scan

Preflight security scanner for AI coding agents — scans deployment config, skills/MCP servers, memory/sessions, and AI agent config files (hooks injection) f...

Registry SourceRecently Updated
3140Profile unavailable
Security

Agent Identity & Access Management: RBAC, Key Scoping, and Multi-Tenant Security for AI Agent Systems

Agent Identity & Access Management: RBAC, Key Scoping, and Multi-Tenant Security for AI Agent Systems. Complete IAM architecture for multi-agent commerce: Ed...

Registry SourceRecently Updated
1660Profile unavailable
Security

Supabase Vault

Replace OpenClaw's local file vault with Supabase Vault for AES-256 encrypted-at-rest secret storage. All API keys and auth tokens stored encrypted in Postgr...

Registry Source
3110Profile unavailable