Credential isolation for OpenClaw β secrets stay submerged, agents stay dry.
You have bought yourself a brand new Mac Mini (or credits at your favorite cloud provider) and now you are still scared about your API credentials because you read all the articles.
We get it.
With Aquaman API keys never enter the agent process. Aquaman stores them in a secure vault of your choosing and injects auth headers via a separate proxy. Even a fully compromised agent should not be able to exfiltrate your keys.
npm install -g aquaman-proxy # install the proxy CLI
aquaman setup # stores keys, installs OpenClaw plugin
openclaw # proxy starts automatically via plugin
aquaman setupauto-detects your credential backend. macOS defaults to Keychain, Linux defaults to encrypted file. Override with--backend:aquaman setup --backend keepassxcOptions:keychain,encrypted-file,keepassxc,1password,vault,systemd-creds
Existing plaintext credentials are migrated automatically during setup.
The migration detects credentials from channels (Telegram, Slack, etc.)
and third-party plugins/skills (any *token*, *key*, *secret*,
*password* fields in openclaw.json plugin configs). Upstream URLs are
auto-detected from plugin config fields like endpoint or baseUrl.
Run again anytime to migrate new credentials: aquaman migrate openclaw --auto
The plugin starts the proxy for you β no extra steps. To check everything is wired up correctly:
aquaman doctor # diagnose issues with actionable fixes
aquaman help # list all commandsSingle-image deployment β same UDS architecture as local, containerized.
git clone https://github.com/tech4242/aquaman.git && cd aquaman
cp docker/.env.example docker/.env
# Edit docker/.env β pick a backend and set its credentials
# needless to say instead of .env you should handle your env properly but this is a starting point you can test.
npm run docker:build
npm run docker:runAgent / OpenClaw Gateway Aquaman Proxy
ββββββββββββββββββββββββ ββββββββββββββββββββββββ
β β β β
β ANTHROPIC_BASE_URL βββ Unix ββββ> β Keychain / 1Pass / β
β = aquaman.local β Domain β Vault / Encrypted β
β β<β Socket βββ β β
β fetch() interceptor βββ (UDS) ββ=> β + Auth injected: β
β redirects channel β β header / url-path β
β API traffic β β basic / oauth β
β β β β
β No credentials. β ~/.aquaman/ β β
β No open ports. β proxy.sock β β
β Nothing to steal. β (chmod 600) β β
ββββββββββββββββββββββββ ββββ¬βββββββββββ¬βββββββββ
β β
β βΌ
β ~/.aquaman/audit/
β (hash-chained log)
βΌ
api.anthropic.com
api.telegram.org
slack.com/api ...
- Store β Credentials live in a vault backend (Keychain, 1Password, Vault, encrypted file)
- Proxy β Aquaman runs a reverse proxy in a separate process, connected via Unix domain socket β no TCP port, no network exposure
- Inject β Proxy looks up the credential and adds the auth header before forwarding
The agent only sees a sentinel hostname (aquaman.local). It never sees a key, and no port is open for other processes to probe.
| Backend | Best For | Setup |
|---|---|---|
keychain |
Local dev on macOS (default) | Works out of the box |
encrypted-file |
Linux, WSL2, CI/CD | AES-256-GCM, password-protected |
keepassxc |
Existing KeePass users | Set AQUAMAN_KEEPASS_PASSWORD or key file |
1password |
Team credential sharing | brew install 1password-cli && op signin |
vault |
Enterprise secrets management | Set VAULT_ADDR + VAULT_TOKEN |
systemd-creds |
Linux with systemd β₯ 256 | TPM2-backed, no root required |
Important: encrypted-file is a last-resort backend for headless Linux/CI environments without a native keyring. For better security, install libsecret-1-dev (for GNOME Keyring), use systemd-creds (Linux with TPM2), or use 1Password/Vault.
openclaw security audit --deep reports two expected findings:
dangerous-execonproxy-manager.tsβ the plugin spawns the proxy as a separate process. This is how aquaman keeps credentials out of the agent.tools_reachable_permissive_policyβ OpenClaw warns that plugin tools (likeaquaman_status) are reachable when no restrictive tool profile is set. This is an environment-level advisory about your agent's tool policy, not a vulnerability in aquaman. If your agents handle untrusted input, set"tools": { "profile": "coding" }inopenclaw.jsonto restrict which tools agents can call.
aquaman setup adds the plugin to plugins.allow automatically so OpenClaw knows you trust it.
Security β Process-level credential isolation via Unix domain socket (no TCP port, no network exposure). Socket file permissions (chmod 600) restrict access to the owning user. Tamper-evident audit logs with SHA-256 hash chains
DevOps β Plugs into Keychain, 1Password, and HashiCorp Vault; YAML-based service config; 23 builtin services across 4 auth modes
Developers β Transparent reverse proxy, no SDK changes, works with any OpenClaw workflow or standalone app