AgentSkillsCN

swamp-vault

管理 Swamp 保险库,用于安全存储敏感信息。适用于创建保险库、存储密钥、检索密钥、列出保险库密钥,或在工作流中使用保险库表达式时使用。可通过“vault”、“secret”、“secrets”、“credentials”、“api key storage”、“secure storage”、“password”、“token”、“key management”、“sensitive data”、“encrypt”、“aws secrets manager”、“store secret”、“put secret”、“get secret”、“credential storage”,或与保险库相关的 CLI 命令触发。

SKILL.md
--- frontmatter
name: swamp-vault
description: Manage swamp vaults for secure secret storage. Use when creating vaults, storing secrets, retrieving secrets, listing vault keys, or working with vault expressions in workflows. Triggers on "vault", "secret", "secrets", "credentials", "api key storage", "secure storage", "password", "token", "key management", "sensitive data", "encrypt", "aws secrets manager", "store secret", "put secret", "get secret", "credential storage", or vault-related CLI commands.

Swamp Vault Skill

Manage secure secret storage through swamp vaults. All commands support --json for machine-readable output.

Quick Reference

TaskCommand
List vault typesswamp vault type search --json
Create a vaultswamp vault create <type> <name> --json
Search vaultsswamp vault search [query] --json
Get vault detailsswamp vault get <name_or_id> --json
Edit vault configswamp vault edit <name_or_id>
Store a secretswamp vault put <vault> KEY=VALUE --json
Get a secretswamp vault get <vault> <key> --json
List secret keysswamp vault list-keys <vault> --json

Repository Structure

Vaults use the dual-layer architecture:

  • Data directory (/.swamp/vault/) - Internal storage by vault type
  • Logical views (/vaults/) - Human-friendly symlinked directories
code
/vaults/{vault-name}/
  vault.yaml → ../.swamp/vault/{type}/{id}.yaml
  secrets/ → ../.swamp/secrets/{type}/{vault-name}/ (local_encryption only)

Vault Types

Two vault types are available:

local_encryption

Stores secrets encrypted locally using AES-GCM. Best for development and local workflows.

yaml
config:
  auto_generate: true # Generate encryption key automatically
  # OR
  ssh_key_path: "~/.ssh/id_rsa" # Use SSH key for encryption

aws

Integrates with AWS Secrets Manager. Best for production environments.

yaml
config:
  region: "us-east-1" # Required
  # profile: "default"  # Optional: AWS profile name

Create a Vault

bash
swamp vault create local_encryption dev-secrets --json
swamp vault create aws prod-secrets --json

Output shape:

json
{
  "id": "abc-123",
  "name": "dev-secrets",
  "type": "local_encryption",
  "path": ".swamp/vault/local_encryption/abc-123.yaml"
}

After creation, edit the config if needed:

bash
swamp vault edit dev-secrets

Store Secrets

bash
swamp vault put dev-secrets API_KEY=sk-1234567890 --json
swamp vault put prod-secrets DB_PASSWORD=secret123 -f --json  # Skip confirmation

Output shape:

json
{
  "vault": "dev-secrets",
  "key": "API_KEY",
  "status": "stored"
}

Get a Secret

Retrieve a specific secret value from a vault.

bash
swamp vault get dev-secrets API_KEY --json

Output shape:

json
{
  "vault": "dev-secrets",
  "key": "API_KEY",
  "value": "sk-1234567890"
}

Note: Use with caution. Secret values are sensitive and should not be logged or displayed unnecessarily.

List Secret Keys

Returns key names only (never values):

bash
swamp vault list-keys dev-secrets --json

Output shape:

json
{
  "vault": "dev-secrets",
  "keys": ["API_KEY", "DB_PASSWORD"]
}

Vault Expressions

Access secrets in model inputs and workflows using CEL expressions:

yaml
attributes:
  apiKey: ${{ vault.get(dev-secrets, API_KEY) }}
  dbPassword: ${{ vault.get(prod-secrets, DB_PASSWORD) }}

Key rules:

  • Vault must exist before expression evaluation
  • Expressions are evaluated lazily at runtime
  • Failed lookups throw errors with helpful messages

Using Vaults in Workflows

For detailed workflow integration including the swamp/lets-get-sensitive model, see the swamp-workflow skill.

Quick syntax reference:

yaml
# In workflow step attributes
apiKey: ${{ vault.get(vault-name, secret-key) }}

# Environment-specific
prodToken: ${{ vault.get(prod-secrets, auth-token) }}
devToken: ${{ vault.get(dev-secrets, auth-token) }}

Security Best Practices

  1. Environment separation: Use different vaults for dev/staging/prod
  2. Never hardcode: Always use vault expressions for secrets
  3. Audit access: Monitor vault operations through logs
  4. Key rotation: Rotate secrets and encryption keys regularly

When to Use Other Skills

NeedUse Skill
Vault usage in workflowsswamp-workflow
Create/run modelsswamp-model
Repository structureswamp-repo
Manage model dataswamp-data

References