OpenClaw SKILL.md Integration
Native skill integration for OpenClaw agents. Your agents access secrets with zero boilerplate using the built-in skill protocol.
What is OpenClaw?
OpenClaw is an open-source AI agent framework that runs agents 24/7, communicating via Telegram, Discord, and other interfaces. It features a skill system — a standardized way for agents to discover and use external capabilities defined in SKILL.md manifests.
Agent Secret Store publishes a SKILL.md manifest that gives OpenClaw agents native access to the vault — no custom code required. The skill is discoverable via the /.well-known/skill.md endpoint.
https://agentsecretstore.com/.well-known/skill.mdInstallation
# The skill manifest is served at:
# https://agentsecretstore.com/.well-known/skill.md
# or via OpenClaw skill registry: agent-secret-store/vault
# Install in OpenClaw:
openclaw skill install agent-secret-store/vault
# or via config:# ~/.openclaw/config.yaml or your agent's config.yaml
skills:
- name: agent-secret-store
url: https://agentsecretstore.com/.well-known/skill.md
config:
agent_key: ${ASS_AGENT_KEY} # from environment
default_namespace: production # optional default prefix
cache_ttl_seconds: 60 # client-side cache for reads (default: 60)SKILL.md contents
The skill manifest defines the available tools and their parameters. OpenClaw reads this manifest at startup and makes the tools available to all agents.
# Agent Secret Store Vault Skill
description: Securely store and retrieve credentials, API keys, and secrets.
auth:
type: bearer
env: ASS_AGENT_KEY
endpoint: https://api.agentsecretstore.com/v1
tools:
- name: get_secret
description: Retrieve a secret from the vault by path
parameters:
path:
type: string
required: true
description: Secret path (e.g. "production/openai/api-key")
version:
type: integer
required: false
description: Specific version to retrieve (omit for latest)
- name: set_secret
description: Store a new secret or update an existing one
parameters:
path:
type: string
required: true
value:
type: string
required: true
tier:
type: string
enum: [standard, sensitive, critical]
default: standard
description:
type: string
required: false
- name: list_secrets
description: List secrets in a namespace (paths and metadata only, no values)
parameters:
namespace:
type: string
required: true
- name: request_token
description: Request a scoped short-lived token for a specific secret path pattern
parameters:
scope:
type: string
required: true
description: "Scope format: secrets:action:namespace/pattern"
ttl_seconds:
type: integer
default: 3600
description:
type: string
required: falseAgent configuration
Reference the skill in your agent config. The agent can then use any vault tool in its tasks:
# Example OpenClaw agent using the vault skill
name: inference-agent
version: "1.0"
skills:
- agent-secret-store
system_prompt: |
You are an AI inference agent. Before making any API calls,
retrieve the necessary credentials from the vault using the
get_secret tool. Never hardcode credentials.
tasks:
- name: run_inference
description: Run GPT-4 inference on a user prompt
steps:
- tool: get_secret
params:
path: "production/openai/api-key"
output: openai_key
- tool: openai.chat
params:
api_key: "{{ openai_key.value }}"
model: gpt-4o
prompt: "{{ input.prompt }}"Python skill handler
For custom skill handlers written in Python, use the agentsecretstore SDK directly:
# Using the Python SDK inside an OpenClaw skill handler
import asyncio
from agentsecretstore import AgentVault
from openai import AsyncOpenAI
class InferenceSkill:
"""OpenClaw skill that fetches credentials from Agent Secret Store."""
def __init__(self):
self.vault = AgentVault()
# Reads ASS_AGENT_KEY from environment
async def run(self, prompt: str, scoped_token: str | None = None) -> str:
"""
scoped_token: Issued by orchestrator with scope
"secrets:read:production/openai/*"
"""
async with self.vault:
secret = await self.vault.get_secret(
"production/openai/api-key",
token=scoped_token, # use scoped token if provided
)
client = AsyncOpenAI(api_key=secret.value)
response = await client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": prompt}],
)
return response.choices[0].message.content or ""
# Register with OpenClaw
skill = InferenceSkill()Real-world example: Telegram agent
This is the pattern used by Optimus-Will and Incredibot (OpenClaw agents on MoltbotDen) to fetch their Telegram credentials at startup:
# Real-world example: OpenClaw Telegram bot that uses the vault
# This is how Optimus-Will and Incredibot access credentials
import asyncio
from agentsecretstore import AgentVault
async def get_telegram_token() -> str:
"""Fetch Telegram bot token from vault at startup."""
async with AgentVault() as vault:
secret = await vault.get_secret("production/telegram/bot-token")
return secret.value
async def main():
# Fetch credentials from vault instead of .env
telegram_token = await get_telegram_token()
# Initialize Telegram bot with vaulted credential
from telegram.ext import ApplicationBuilder
app = ApplicationBuilder().token(telegram_token).build()
await app.run_polling()
asyncio.run(main())No more .env files for your agents
This pattern completely eliminates the need to copy credentials into .env files or environment variables on your agent's host machine. The vault is the single source of truth — rotate a key once, all agents get the new value automatically.
MoltbotDen Trust Tier
If your OpenClaw agent is registered on MoltbotDen, its trust tier automatically influences approval requirements when accessing sensitive secrets. Higher-trust agents (Verified T5, Established T4) may bypass approvals that unregistered agents require.
Enable this integration in your tenant dashboard under Settings → Integrations → MoltbotDen. See the Approval Workflows docs for the full trust tier table.
MCP Server →
Use the vault from Claude, Cursor, or any MCP client.
MoltbotDen Guide →
Full integration guide for MoltbotDen agents.