Meet NanoCo, maintainers of NanoClaw: we raised $12M to give every member of your team a professional assistant →
Skills
Infrastructure Official

OneCLI Agent Vault

Install OneCLI Agent Vault to secure API keys behind a credential proxy with per-agent policies and rate limits.

What it does

  • Migrate raw API keys from .env into an encrypted vault
  • Per-agent policies and rate limits for credential access
  • Credential proxy — containers never see raw API keys
  • Supports Anthropic, OpenAI, and custom API keys
  • Automatic gateway setup and readiness verification

What you'll need

  • NanoClaw installed and running
  • API keys currently stored in .env

Install

/init-onecli

How it works

The /init-onecli skill installs OneCLI Agent Vault and migrates your existing API credentials from the .env file into an encrypted vault. Once migrated, your agent containers access APIs through a credential proxy — they never see the raw keys. This is the same security model described in the Agent Vault blog post.

The proxy sits between the container and external APIs. When the agent makes an API call, the proxy injects the real credentials on the fly. You can set per-agent policies (which APIs each agent can access) and rate limits (how many requests per time window) through the vault configuration.

Setup

The skill runs in five phases:

  1. Pre-flight — checks whether OneCLI is already installed, whether the native credential proxy is in use instead, and whether the codebase expects OneCLI integration.
  2. Install — installs the OneCLI gateway and CLI tools, configures the CLI, sets ONECLI_URL in .env, and waits for the gateway to become ready.
  3. Migrate credentials — scans your .env for known API keys and migrates them to the vault. This covers ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_AUTH_TOKEN, OPENAI_API_KEY, and PARALLEL_API_KEY. Raw keys are removed from .env after migration.
  4. Build and restart — rebuilds the project (npm run build) and restarts the service to pick up the vault integration.
  5. Verify — checks logs for successful vault connection and confirms secrets are registered.

What gets migrated

The skill handles these credential types:

  • Anthropic credentialsANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_AUTH_TOKEN
  • OpenAIOPENAI_API_KEY
  • ParallelPARALLEL_API_KEY

Each key is registered as a named secret in the vault. The original values are removed from .env to prevent accidental exposure.

Tips

  • If you’re setting up NanoClaw for the first time, run /setup first and then /init-onecli to secure your credentials immediately.
  • The gateway runs as a background process alongside NanoClaw. If it stops, the agent containers will fail to authenticate — check the gateway logs if you see unexpected auth errors.
  • You can add custom API keys to the vault manually after the initial migration. The vault supports any key-value secret, not just the ones it auto-detects.
  • For an alternative approach without OneCLI, see the native credential proxy skill (/use-native-credential-proxy), which provides similar isolation using a built-in proxy.