The OpenClaw plugin for credential management
Stop hardcoding API keys in IDENTITY.md. @secr/openclaw-plugin brokers scoped, allowlisted, audited credentials, gates outbound tool calls through the MCP gateway, and redacts secrets from agent messages before they hit the session log. Zero glue code.
openclaw plugins install npm:@secr/openclaw-pluginWhy OpenClaw needs a credential layer
OpenClaw agents authenticate to the services they act on — GitHub, Slack, email, internal APIs, cloud accounts. The default setup is to paste those tokens into a config file or environment variable. That worked when one developer ran one agent locally. It does not scale.
In 2026, security researchers documented over 40,000 publicly exposed OpenClaw deployments leaking API keys, OAuth tokens, and cloud credentials in plaintext. The pattern is consistent: credentials are too broad, never rotated, and not tied to any identity that can be audited or revoked.
secr fixes the credential layer without changing how OpenClaw is run. You replace one config file with one SDK call. Everything else — the broker, the allowlist, the MCP gateway, the audit trail — runs server-side.
60-second install
The plugin registers before_tool_call, after_tool_call, and before_message_write hooks plus the secr.* tools automatically. No SDK glue code, no agent edits.
# One-line plugin install — no SDK glue code needed
openclaw plugins install npm:@secr/openclaw-plugin
# Or via ClawHub
openclaw plugins install clawhub:secr
# Set the agent token (from secr dashboard → Agents)
export SECR_AGENT_TOKEN=secr_agent_xxx
# Run any OpenClaw agent — secrets resolve at runtime,
# tool calls flow through the gateway, redaction is automatic.
openclaw run my-agentThree hooks, full coverage
before_tool_callAllow / deny / rate-limit / require-approval. Atomic one-shot grant consumption via Postgres FOR UPDATE SKIP LOCKED.
after_tool_callRecords the actual outcome — success / error and durationMs — not just "the call was allowed". Accurate audit trail.
before_message_writeDefence-in-depth: redacts known secret values from agent messages before they're written to the session log. 5-min cache.
Advanced: programmatic broker
If you can't use the plugin (custom runtime, embedded), the @secr/openclaw SDK gives you the same broker as a library.
// Advanced: programmatic broker (when you don't want the plugin).
import { OpenClawSecretBroker, loadIdentity } from "@secr/openclaw";
const parsed = await loadIdentity("./IDENTITY.md");
const broker = OpenClawSecretBroker.fromIdentity(parsed);
await broker.materializeEnv();
// process.env now has only the keys the server allows for this agent.IDENTITY.md is your binding
Add a secr: block to the IDENTITY.md frontmatter. The agent token never lives in the file — it's passed via SECR_AGENT_TOKEN env var or directly to the broker.
---
secr:
org: acme
project: support-bot
environment: production
---
## Name
SupportBot
## Creature
AI Agent
## Vibe
Helpful and cautiousEverything secr does for OpenClaw
Every feature is server-enforced. The SDK is a thin wrapper — there's no client-side trust boundary.
Credential broker
Replace plaintext API keys in OpenClaw configs with a short-lived agent session. materializeEnv() drops the resolved secrets into process.env at runtime.
Per-agent secret allowlists
Limit each OpenClaw agent to a specific list of secret keys. Server-enforced — no SDK trust required, every read path checks the allowlist.
MCP approval queue
Mark sensitive tools (delete_repo, refund, send_email) as approval-required. Calls block, queue in the dashboard, and an admin approves with one click.
Atomic one-shot grants
Approved tool calls consume exactly once. Postgres FOR UPDATE SKIP LOCKED ensures concurrent agents can't double-spend a single approval.
Shadow-agent detection
OpenClaw user-agent fingerprinting flags unmanaged agents using personal CLI tokens. Each detection records framework=openclaw with risk scoring.
Conditional access
Pin agents to IP ranges, business hours, and required user-agent patterns. Stolen tokens fail outside their authorised envelope.
NHI posture rules
The compliance report flags any OpenClaw-fingerprinted agent missing project, environment, or allowlist scoping — with a one-line remediation.
Tool-call audit trail
Every tool invocation is recorded with redacted parameters, status, duration, and source. Exportable, queryable, and tied back to the agent identity.
Recommended reading
- Securing OpenClaw agents — what NHI means in practice
- Getting started with OpenClaw and secr
- OpenClaw secret allowlists — limit what each agent can read
- Human-in-the-loop tool approvals for OpenClaw
- Detecting shadow OpenClaw agents in your organisation
- The OpenClaw NHI posture checklist
- OpenClaw vs Claude Code — how NHI differs across AI agent frameworks
- Why plaintext .env files are failing OpenClaw
Stop pasting API keys into OpenClaw configs
Broker, allowlist, gateway, approval queue, message redaction, and audit trail in one plugin install. Free for 1 AI agent — no card.