OpenClaw · Skill
Authy
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
Install
Start with the primary install command. Alternate entrypoints are included below for ClawHub and OpenClaw CLI users.
Primary command
clawhub install eric8810/authyClawHub installer
npx clawhub@latest install eric8810/authyOpenClaw CLI
openclaw skills install eric8810/authyDirect OpenClaw install
openclaw install eric8810/authyWhat this skill does
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
Why it matters
Unlike exporting env vars manually or using .env files, secrets never appear in shell history, process listings, or on disk at any point.
Typical use cases
- Running a deploy script with production API keys
- Starting a backend server with database credentials
- Executing tests that require third-party service tokens
- Injecting cloud provider credentials into a CI build step
- Running a curl request with a bearer token from a secret store
Source instructions
Authy — Secure Secret Injection
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
How It Works
Your token is run-only. You can discover secret names with authy list and inject them into subprocesses with authy run. You never see secret values directly.
Inject Secrets into a Command
authy run --scope <policy> --uppercase --replace-dash '_' -- <command> [args...]
The --uppercase --replace-dash '_' flags turn secret names like db-host into env vars like DB_HOST.
Examples:
authy run --scope deploy --uppercase --replace-dash '_' -- ./deploy.sh
authy run --scope backend --uppercase --replace-dash '_' -- node server.js
authy run --scope testing --uppercase --replace-dash '_' -- pytest
Discover Secret Names
authy list --scope <policy> --json
Output: {"secrets":[{"name":"db-host","version":1,...}]}
Write Scripts That Use Secrets
Write code that reads environment variables, then run it with authy run:
cat > task.sh << 'EOF'
#!/bin/bash
curl -H "Authorization: Bearer $API_KEY" https://api.example.com/data
EOF
chmod +x task.sh
authy run --scope my-scope --uppercase --replace-dash '_' -- ./task.sh
Error Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 2 | Auth failed — check AUTHY_TOKEN / AUTHY_KEYFILE |
| 3 | Secret or policy not found |
| 4 | Access denied or run-only restriction |
| 6 | Token invalid, expired, or revoked |
Rules
- Only use
authy runandauthy list— these are the only commands available to you - Never hardcode credentials — reference env vars, run via
authy run - Never echo, print, or log env vars in subprocess scripts — secrets exist in memory only
- Never redirect env vars to files — do not write
$SECRETto disk - Use
--scopeto limit access to needed secrets only