Claude Skill
onecli/onecli
OneCLI is an open-source credential vault that securely manages secrets for AI agents and CLI tools, preventing key exposure while enabling secure access to external services and APIs.
Overview
Repository
Install this Skill
git clone https://github.com/onecli/onecli.gitRegistry
Summary
OneCLI is an open-source credential vault designed to securely manage secrets for AI agents and CLI tools, enabling access to external services without exposing API keys or sensitive credentials in code or logs.
开源凭证保险库,让您的AI助手安全访问服务,无需暴露密钥。
Key features
- Open-source credential vault for AI agents
- Securely manages API keys and secrets
- Prevents credential exposure in code/logs
- Integrates with MCP (Model Context Protocol)
- Built with TypeScript and Rust
- Supports PostgreSQL for data storage
Use cases
- Securing credentials for AI agent workflows
- Managing secrets in CLI tool development
- Providing secure service access for automation scripts
- Integrating with MCP-based AI applications
- Building secure backend services with secret management
- Developing security tools for developer environments
README excerpt
<picture> <source media="(prefers-color-scheme: dark)" srcset="assets/onecli-logo-dark.gif"> <source media="(prefers-color-scheme: light)" srcset="assets/onecli-logo-light.gif"> <img alt="OneCLI" src="assets/onecli-logo-light.gif" width="100%"> </picture> <p align="center"> <b>The secret vault for AI agents.</b><br/> Store once. Inject anywhere. Agents never see the keys. </p> <p align="center"> <a href="https://onecli.sh">Website</a> · <a href="https://onecli.sh/docs">Docs</a> · <a href="https://discord.gg/PSztzsQB3g">Discord</a> </p> --- <picture> <source media="(prefers-color-scheme: dark)" srcset="assets/onecli-flow-dark.gif"> <source media="(prefers-color-scheme: light)" srcset="assets/onecli-flow-light.gif"> <img alt="How OneCLI works" src="assets/onecli-flow-light.gif" width="100%"> </picture> ## What is OneCLI? OneCLI is an open-source gateway that sits between your AI agents and the services they call. Instead of baking API keys into every agent, you store credentials once in OneCLI and the gateway injects them transparently. Agents never see the secrets. **Why we built it:** AI agents need to call dozens of APIs, but giving each agent raw credentials is a security risk. OneCLI solves this with a single gateway that handles auth, so you get one place to manage access, rotate keys, and see what every agent is doing. **How it works:** You store your real API credentials in OneCLI and give your agents placeholder keys (e.g. `FAKE_KEY`). When an agent makes an HTTP call through the gateway, the OneCLI gateway matches the request to the right credentials, swaps the `FAKE_KEY` for the `REAL_KEY`, decrypts them, and injects them into the outbound request. The agent never touches the real secrets. It just makes normal HTTP ca