Secure Credential Vault — v1.0 Release Notes
Version: 1.0
Released: 2026-04-20
Price: $4.99
Category: security
QA Status: APPROVED_FOR_RELEASE (Viper 2026-04-20)
What It Does
Secure Credential Vault gives OpenClaw skills an AES-256 encrypted local store for API keys, tokens, and secrets — so you never have to leave credentials in plaintext .env files, config files, or git history again. Unlock the vault with a master passphrase (never stored on disk), then store, retrieve, rotate, and audit any credential by name. Every access event is logged with a timestamp and key name, giving you a full audit trail without ever exposing values. Exports to shell env-files when skills need credentials at runtime, with optional auto-delete after 60 seconds.
Use Cases
- Developers managing API keys for multiple skills who are tired of plaintext credentials scattered across config files and
.envfiles that risk accidental git commits or unauthorised access - Security-conscious operators who need a tamper-evident audit log of every credential access event — who got what key and when — for compliance or incident response
- Teams responding to a credential leak who need a structured key rotation workflow: update the vault, log the rotation, and export fresh values to dependent skills without touching individual config files
Requirements
| Requirement | Detail |
|-------------|--------|
| OpenClaw | Any current version |
| Python | 3.8+ |
| Primary encryption | cryptography Python package (AES-256 / Fernet + PBKDF2) |
| Fallback | XOR obfuscation if cryptography not installed (with clear warning) |
| API Keys | None required |
| Master passphrase | Set via prompt or VAULT_PASSPHRASE environment variable |
Install cryptography:
pip install cryptography
Example Usage
Initialise the vault:
python3 scripts/credential_vault.py --mode init
# Prompts for master passphrase — not stored anywhere
Store a credential:
python3 scripts/credential_vault.py --mode set --key OPENAI_API_KEY --value sk-abc123
Retrieve a credential:
python3 scripts/credential_vault.py --mode get --key OPENAI_API_KEY
List all stored key names (no values):
python3 scripts/credential_vault.py --mode list
Rotate a key and log the event:
python3 scripts/credential_vault.py --mode rotate --key OPENAI_API_KEY --value sk-newkey456
View audit log:
python3 scripts/credential_vault.py --mode audit
Export selected keys to shell env-file:
python3 scripts/credential_vault.py --mode export --output /tmp/skill-env.sh --keys "OPENAI_API_KEY,XAI_API_KEY"
Verify vault integrity:
python3 scripts/credential_vault.py --mode check
Expected output (audit mode):
📋 Credential Vault Audit Log
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2026-04-20 05:01 UTC SET OPENAI_API_KEY
2026-04-20 05:02 UTC SET XAI_API_KEY
2026-04-20 09:00 UTC GET OPENAI_API_KEY
2026-04-20 12:00 UTC ROTATE XAI_API_KEY
Total events: 4 | Keys stored: 2