Back to Details

credentials

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Credentials Skill

凭证管理Skill

Manages arbitrary named secrets — API keys, tokens, passwords, URLs — encrypted at rest using AES-256-GCM with per-credential PBKDF2 key derivation. Values are stored as encrypted blobs in 
~/.aibtc/credentials.json
; only identifiers, labels, categories, and timestamps are stored in plaintext. No wallet is required — the credential store uses its own master password independent of the wallet system.
管理任意命名的机密信息——包括API密钥、令牌、密码、URL——静止状态下采用AES-256-GCM加密,每个凭证使用独立的PBKDF2密钥派生。机密值以加密 blob 形式存储在
~/.aibtc/credentials.json
中;仅标识符、标签、分类和时间戳以明文存储。无需钱包——该凭证存储工具使用独立于钱包系统的专属主密码。

Usage

使用方法

bun run credentials/credentials.ts <subcommand> [options]
bun run credentials/credentials.ts <subcommand> [options]

Subcommands

子命令

add

add

Add a new credential or update an existing one. The value is encrypted with AES-256-GCM using a key derived from the master password via PBKDF2 (100,000 iterations, per-credential salt).
bun run credentials/credentials.ts add --id <id> --value <value> --password <pass> [--label <text>] [--category <cat>]
Options:
  • --id
    (required) — Normalized credential identifier (e.g. 
    hiro-api-key
    , 
    openrouter-token
    )
  • --value
    (required) — Plaintext secret value (sensitive — not stored)
  • --password
    (required) — Master password for encryption (sensitive)
  • --label
    (optional) — Human-readable label (default: same as id)
  • --category
    (optional) — Category tag such as 
    api-key
    , 
    token
    , 
    url
    , or 
    secret
    (default: 
    secret
    )
Output:
json
{
  "success": true,
  "id": "hiro-api-key",
  "label": "Hiro API Key",
  "category": "api-key",
  "createdAt": "2026-01-01T00:00:00.000Z",
  "updatedAt": "2026-01-01T00:00:00.000Z"
}
添加新凭证或更新现有凭证。机密值通过PBKDF2(100,000次迭代,每个凭证独立盐值)从主密码派生的密钥,采用AES-256-GCM加密。
bun run credentials/credentials.ts add --id <id> --value <value> --password <pass> [--label <text>] [--category <cat>]
选项:
  • --id
    (必填)——标准化凭证标识符(例如
    hiro-api-key
    , 
    openrouter-token
  • --value
    (必填)——明文机密值(敏感信息——不会存储明文)
  • --password
    (必填)——用于加密的主密码(敏感信息)
  • --label
    (可选)——人类可读标签(默认值:与id相同)
  • --category
    (可选)——分类标签,例如
    api-key
    , 
    token
    , 
    url
    secret
    (默认值:
    secret
输出:
json
{
  "success": true,
  "id": "hiro-api-key",
  "label": "Hiro API Key",
  "category": "api-key",
  "createdAt": "2026-01-01T00:00:00.000Z",
  "updatedAt": "2026-01-01T00:00:00.000Z"
}

get

get

Decrypt and return a credential value. The plaintext value appears in the output — handle with care.
bun run credentials/credentials.ts get --id <id> --password <pass>
Options:
  • --id
    (required) — Credential identifier
  • --password
    (required) — Master password for decryption (sensitive)
Output:
json
{
  "id": "hiro-api-key",
  "label": "Hiro API Key",
  "category": "api-key",
  "value": "hiro_api_key_xxxxxxxxxxxxxxxx",
  "createdAt": "2026-01-01T00:00:00.000Z",
  "updatedAt": "2026-01-01T00:00:00.000Z"
}
Tip: Extract the value in scripts with 
$(bun run credentials/credentials.ts get --id hiro-api-key --password $CRED_PASS | jq -r .value)
解密并返回凭证值。输出中会显示明文值——请谨慎处理。
bun run credentials/credentials.ts get --id <id> --password <pass>
选项:
  • --id
    (必填)——凭证标识符
  • --password
    (必填)——用于解密的主密码(敏感信息)
输出:
json
{
  "id": "hiro-api-key",
  "label": "Hiro API Key",
  "category": "api-key",
  "value": "hiro_api_key_xxxxxxxxxxxxxxxx",
  "createdAt": "2026-01-01T00:00:00.000Z",
  "updatedAt": "2026-01-01T00:00:00.000Z"
}
提示:在脚本中可通过
$(bun run credentials/credentials.ts get --id hiro-api-key --password $CRED_PASS | jq -r .value)
提取值

list

list

List all credential identifiers and metadata. No decryption is performed and no secret values are returned.
bun run credentials/credentials.ts list
Output:
json
{
  "count": 2,
  "credentials": [
    {
      "id": "hiro-api-key",
      "label": "Hiro API Key",
      "category": "api-key",
      "createdAt": "2026-01-01T00:00:00.000Z",
      "updatedAt": "2026-01-01T00:00:00.000Z"
    }
  ]
}
列出所有凭证标识符和元数据。不会执行解密操作,也不会返回机密值。
bun run credentials/credentials.ts list
输出:
json
{
  "count": 2,
  "credentials": [
    {
      "id": "hiro-api-key",
      "label": "Hiro API Key",
      "category": "api-key",
      "createdAt": "2026-01-01T00:00:00.000Z",
      "updatedAt": "2026-01-01T00:00:00.000Z"
    }
  ]
}

delete

delete

Permanently delete a credential. Requires the master password (to verify ownership) and an explicit confirmation string.
bun run credentials/credentials.ts delete --id <id> --password <pass> --confirm DELETE
Options:
  • --id
    (required) — Credential identifier to delete
  • --password
    (required) — Master password for verification (sensitive)
  • --confirm
    (required) — Must be exactly 
    DELETE
Output:
json
{
  "success": true,
  "deleted": "hiro-api-key",
  "message": "Credential \"hiro-api-key\" has been permanently deleted."
}
永久删除凭证。需要主密码(用于验证所有权)和明确的确认字符串。
bun run credentials/credentials.ts delete --id <id> --password <pass> --confirm DELETE
选项:
  • --id
    (必填)——要删除的凭证标识符
  • --password
    (必填)——用于验证的主密码(敏感信息)
  • --confirm
    (必填)——必须精确为
    DELETE
输出:
json
{
  "success": true,
  "deleted": "hiro-api-key",
  "message": "Credential \"hiro-api-key\" has been permanently deleted."
}

rotate-password

rotate-password

Change the master password by atomically re-encrypting all credentials. Decrypts every credential with the old password and re-encrypts with the new one. If any credential fails to decrypt, the operation is aborted before any changes are written.
bun run credentials/credentials.ts rotate-password --old-password <pass> --new-password <pass>
Options:
  • --old-password
    (required) — Current master password (sensitive)
  • --new-password
    (required, min 8 chars) — New master password (sensitive)
Output:
json
{
  "success": true,
  "message": "Password rotated. 3 credentials re-encrypted.",
  "count": 3
}
通过原子方式重新加密所有凭证来更改主密码。使用旧密码解密每个凭证,再用新密码重新加密。如果任何凭证解密失败,操作将中止,不会写入任何更改。
bun run credentials/credentials.ts rotate-password --old-password <pass> --new-password <pass>
选项:
  • --old-password
    (必填)——当前主密码(敏感信息)
  • --new-password
    (必填,最少8个字符)——新主密码(敏感信息)
输出:
json
{
  "success": true,
  "message": "Password rotated. 3 credentials re-encrypted.",
  "count": 3
}

Security Notes

安全说明

  • Credentials are AES-256-GCM encrypted with a unique salt and IV per credential — a compromised credential does not weaken others
  • PBKDF2-SHA256 with 100,000 iterations makes brute-force attacks expensive
  • The master password is never written to disk — pass it via 
    --password
    flag or environment variable substitution
  • ~/.aibtc/credentials.json
    is written with mode 0o600 (owner read/write only)
  • The credential store is independent of the wallet system — a separate master password is recommended
  • delete
    and 
    rotate-password
    verify the password by decrypting before mutating the store
  • 每个凭证使用唯一的盐值和IV进行AES-256-GCM加密——单个凭证泄露不会影响其他凭证的安全性
  • 采用100,000次迭代的PBKDF2-SHA256,大幅提高暴力破解的成本
  • 主密码永远不会写入磁盘——通过
    --password
    参数或环境变量传递
  • ~/.aibtc/credentials.json
    文件权限设置为0o600(仅所有者可读写)
  • 凭证存储工具独立于钱包系统——建议使用单独的主密码
  • delete
    rotate-password
    操作会先通过解密验证密码,再修改存储内容