Skip to content

docs(plugins): add @secr/openclaw-plugin#81

Open
secr-dev wants to merge 1 commit into
vincentkoc:mainfrom
secr-dev:add-secr-plugin
Open

docs(plugins): add @secr/openclaw-plugin#81
secr-dev wants to merge 1 commit into
vincentkoc:mainfrom
secr-dev:add-secr-plugin

Conversation

@secr-dev

@secr-dev secr-dev commented May 8, 2026

Copy link
Copy Markdown

What this adds

A new entry under Plugins and Integrations for @secr/openclaw-plugin
a native OpenClaw plugin that wraps every tool call through a
secrets-management and Non-Human Identity governance layer. Available on
both ClawHub and npm.

Traction & evidence (per CONTRIBUTING.md)

  • ClawHub listed: https://clawhub.ai/plugins/@secr/openclaw-plugin (latest 0.1.2)
  • npm published: https://www.npmjs.com/package/@secr/openclaw-plugin (0.1.2 with openclaw.compat.pluginApi >=2026.5.0, builtWith 2026.5.7)
  • Verified live against OpenClaw 2026.5.7. Hook registration confirmed via openclaw plugins inspect secr --runtime --json (typed-hook entry on before_tool_call); live event/ctx payload captured and validated against the documented contract.
  • Documentation surface: dedicated landing page + 8 deep-dive blog posts on secr.dev covering setup, allowlists, approval queues, shadow detection, posture rules, plus webhook/Telegram delivery posts.
  • Open-source: source repo + commit hash linked below; MIT licensed; passes ClawHub structural verification (source-linked / artifact-only).
  • Real users: positions secr as the credential layer specifically for OpenClaw, addressing the 2026 exposure incidents that brought NHI for autonomous agents into the mainstream conversation.

What it does

  • Credentials broker — replaces plaintext API keys in IDENTITY.md /
    .env files with a short-lived agent-token session against the secr API.
    Per-agent server-side secretAllowlist enforced on every read.
  • Tool-call governance — registers the before_tool_call plugin hook
    via api.on() and:
    • blocks tools listed in deny rules (rules accept arbitrary string tool
      names, not just MCP secret operations)
    • enforces per-agent rate limits (per-minute / per-hour)
    • returns requireApproval for tools matching approval-required rules,
      surfacing OpenClaw's native approval UI
    • atomically consumes one-shot approval grants via Postgres
      FOR UPDATE SKIP LOCKED (no double-spend under concurrent retries)
  • Audit — every secret read and tool call recorded server-side with
    redacted parameters, agent identity, environment, IP.
  • Approval delivery — generic webhooks (mcp.approval_required /
    mcp.approval_decided) plus interactive Telegram bots with one-tap
    Approve/Deny inline keyboards.
  • OpenClaw-native tools — also registers secr.get_secret,
    secr.list_envs, and secr.materialize_env for explicit calls from
    agent code.

Install

# from ClawHub (recommended)
openclaw plugins install clawhub:@secr/openclaw-plugin

# or from npm
openclaw plugins install npm:@secr/openclaw-plugin

Add a secr: block to ~/.openclaw/openclaw.json under
plugins.entries.secr.config with token, org, project,
environment, then openclaw gateway restart.

Links

Disclosure

Submitted by the secr team — happy to adjust the description, drop the
entry, or move the placement if it fits better elsewhere in the list.

I'd ordinarily open an "Add Resource Request" issue first per the
CONTRIBUTING flow; submitting the PR directly because the entry is a
single bullet line under an existing section. Happy to convert this to an
issue first if preferred.

@secr-dev secr-dev force-pushed the add-secr-plugin branch from 73ed9b2 to 2cb5fef Compare May 9, 2026 16:16
@secr-dev secr-dev changed the title Add @secr/openclaw-plugin under Plugins and Integrations docs(plugins): add @secr/openclaw-plugin May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants