Secrets management built for AI agents
.env files were designed for one developer running one process. They break when the "developer" is an autonomous agent that can read every variable and call any tool. secr is the credential and governance layer that fixes the gap — without changing how your agent runs.
claude mcp add secr -e SECR_TOKEN=secr_agent_xxx -- npx @secr/mcpopenclaw plugins install npm:@secr/openclaw-pluginThe four ways agents leak secrets
Every problem below is one secr fixes by default. None of them are theoretical — they're the patterns documented in the 2026 wave of OpenClaw and MCP exposure incidents.
The agent reads your entire .env file
An agent with file access reads every credential you've ever put in .env, not just the ones it needs. A compromised agent — bad model output, supply-chain attack, prompt injection — exfiltrates the lot.
→ Per-agent secret allowlist enforced server-side. The agent only sees keys you whitelisted, even if it asks for everything.
The agent calls a tool it shouldn't
Agents have tools (delete_repo, transfer_funds, send_email). A misaligned model, a confused chain of thought, or a prompt injection can fire a tool you'd never authorise manually.
→ Tool-call gateway with allow/deny rules, per-agent rate limits, and human-in-the-loop approval queues with atomic one-shot grant consumption.
Secrets leak into the agent's session log
Even with a broker, models occasionally regurgitate values they've seen — "the API key is sk_live_xxx" — and that line ends up persisted in the session log forever.
→ before_message_write hook redacts known secret values from agent messages before persistence. Defence-in-depth, not just access control.
You don't know which agents are running
Engineers build local agents with their own CLI tokens. There's no inventory, no scoping, no audit. When something goes wrong, you can't tell whether agent A or agent B did it.
→ Shadow-agent detection fingerprints OpenClaw and MCP user agents from CLI traffic. Each detection records framework + risk score, surfacing unmanaged agents in the dashboard.
Pick your integration
Same secr account, same agent token. Different surfaces — choose the one your agent already speaks.
OpenClaw plugin
Native plugin: hooks for tool gating, redaction, audit. ClawHub-listed.
MCP server (@secr/mcp)
Drop-in MCP for Claude Code, Cursor, Continue, Copilot, Windsurf.
Telegram approvals
One-tap Approve/Deny inline keyboard. Bot token encrypted server-side.
Approval webhooks
Slack, PagerDuty, Discord. HMAC-verified. Idempotency keys included.
What free includes
- ✓1 AI agent identity (works with OpenClaw, MCP, Claude Code, Cursor, Continue, Copilot)
- ✓Per-agent secret allowlist (server-enforced)
- ✓before_message_write redaction in the OpenClaw plugin
- ✓7-day audit log of every secret access and tool call
- ✓3 projects, 100 secrets, version history, secret promotion
When you need the MCP gateway with tool-call rules and approval queues, more than one agent, or anomaly detection — that's Pro and Team.
Recommended reading
- secr vs Doppler, Infisical, Vault — for AI agents (side-by-side)
- Approval webhooks for OpenClaw agents — Slack, PagerDuty, Discord
- Approve OpenClaw tool calls from Telegram
- Human-in-the-loop tool approvals for OpenClaw
- Per-agent secret allowlists — limit what each agent can read
- Detecting shadow agents in your organisation
- Why .env is the wrong primitive for AI agents
Ship one agent today, scale when you're ready
Sign up, create an agent identity, install the plugin or the MCP server. Whole loop is under 5 minutes.