SkyClaw Adds Encrypted Chat-Based API Key Setup for AI Agents

SkyClaw introduces a method for securely setting up API keys through chat interfaces without exposing them to LLMs or messaging platforms. The system addresses the workflow friction of traditional self-hosted agents that require SSH access, config file edits, and service restarts to change keys.

How It Works

The solution has two security layers:

• Layer 1 — System intercept: Key commands (/addkey, /keys, /removekey) and encrypted blobs (starting with enc:v1:) are caught in main.rs before messages reach the agent. The Rust process decrypts, validates, and saves to the vault, keeping the LLM completely uninvolved in credential operations.
• Layer 2 — OTK encryption: Uses URL fragments (#) that are never sent to servers per RFC 3986. The flow: bot sends setup.page/#one-time-256bit-key, browser encrypts API key locally using AES-256-GCM with WebCrypto, user pastes encrypted blob back in chat, bot decrypts at system layer and saves, then burns the one-time key.

Security Results

• Messaging platforms see only ciphertext (useless without OTK)
• The LLM sees nothing (intercepted before agent loop)
• GitHub Pages sees only GET /setup
• Works on any platform that sends/receives text

Comparison with Other Projects

The source identifies limitations in current solutions:

• OpenClaw: Uses config files, env vars, CLI wizard, optional external secret managers. GitHub issue #11829 states: "OpenClaw currently has multiple vectors where API keys can leak to the LLM or be exposed in chat." Issue #19137 documents config.get leaking API keys into session transcript JSONL files.
• OpenFang (Rust): Uses env vars referenced in config.toml (api_key_env = "ANTHROPIC_API_KEY"), CLI init wizard, dashboard UI. Has strong at-rest security with Zeroizing<String> and AES-256-GCM credential vault, but no secure key ingestion from chat.
• NanoClaw: Uses ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN env vars set during /setup skill. In Docker Sandbox mode, proxy-based system substitutes sentinel values, but still no encrypted key transit through messaging.
• PicoClaw: Uses ~/.picoclaw/config.json with env var overrides (PICOCLAW_PROVIDERS_*). Issue #972 documents subagent credential leakage when self-healing logic reads config.json and echoes raw API keys into chat logs.

The fundamental problem, as OpenClaw's issue #7916 states: "keys must be in plain text for [the system] to operate." External secret managers defer plaintext exposure to runtime, but no one encrypts the transit.

Technical Details

URL fragments work because per RFC 3986, # and everything after it is never sent to the server in HTTP requests, not included in the Referer header, not logged by CDNs/proxies/web servers, and processed entirely client-side. GitHub Pages receives GET /setup with zero knowledge of the OTK.

The message handler in main.rs has strict priority order: key commands and encrypted blobs are matched first and return immediately, never falling through to the agent. The LLM only receives messages that pass all checks. On the output side, a SecretCensorChannel wraps every outbound message.