secret-portal

⚠Review·Scanned 2/17/2026

This skill launches a one-time web UI to collect secret keys and save them to an env file (e.g., ~/.env) via a CLI (uv run ...). It instructs executing uv run (shell execution), storing secrets to ~/.env (credential storage), and using cloudflared/ngrok (network downloads/tunneling).

from clawhub.ai·v4a6d36b·2.7 KB·0 installs

Scanned from 0.1.0 at 4a6d36b · Transparency log ↗

$ vett add clawhub.ai/awlevin/secret-portalReview findings below

Secret Portal

Spin up a temporary, one-time-use web UI for securely entering secret keys and environment variables. No secrets ever touch chat history or terminal logs.

Quick Start

# Single key with cloudflared tunnel (recommended)
uv run --with secret-portal secret-portal \
  -k API_KEY_NAME \
  -f ~/.secrets/target-env-file \
  --tunnel cloudflared

# With guided instructions and a link to the key's console
uv run --with secret-portal secret-portal \
  -k OPENAI_API_KEY \
  -f ~/.env \
  -i '<strong>Get your key:</strong><ol><li>Go to platform.openai.com</li><li>Click API Keys</li><li>Create new key</li></ol>' \
  -l "https://platform.openai.com/api-keys" \
  --link-text "Open OpenAI dashboard →" \
  --tunnel cloudflared

# Multi-key mode (no -k flag, user enters key names and values)
uv run --with secret-portal secret-portal \
  -f ~/.secrets/keys.env \
  --tunnel cloudflared

Options

Flag	Description
`-k, --key`	Pre-populate a single key name (user only enters the value)
`-f, --env-file`	Path to save secrets to (default: `~/.env`)
`-i, --instructions`	HTML instructions shown above the input field
`-l, --link`	URL button for where to get/create the key
`--link-text`	Label for the link button (default: "Open console →")
`--tunnel`	`cloudflared` (recommended), `ngrok`, or `none`
`-p, --port`	Port to bind to (default: random)
`--timeout`	Seconds before auto-shutdown (default: 300)

Tunneling

Use --tunnel cloudflared — it's free, requires no account, has no interstitial pages, provides HTTPS, and auto-downloads the binary if missing.

ngrok free tier shows an interstitial warning page that blocks mobile and automated use.

Without a tunnel, the port must be open in your firewall/security group. The CLI will warn you if it detects the port is unreachable.

Security

One-time use: portal expires after a single submission
Token auth: URL contains a random 32-byte token
Secret values are never printed to stdout/stderr (enforced by tests)
Env file is written with 600 permissions (owner-only)
Secrets never touch chat history or terminal logs

Source

https://github.com/Olafs-World/secret-portal