Authy
Inject secrets into subprocesses via environment variables. You never see secret values — authy run injects them directly. Use for any command that needs API keys, credentials, or tokens.
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install clawskills:eric8810~eric8810-authycURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/clawskills%3Aeric8810~eric8810-authy/file -o eric8810-authy.mdGit 仓库获取源码
git clone https://github.com/openclaw/skills/commit/d0cf28800a9969ad45161138de437e964bcb7a01# Authy — Secure Secret Injection
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
## How It Works
Your token is run-only. You can discover secret **names** with `authy list` and inject them into subprocesses with `authy run`. You never see secret values directly.
## Inject Secrets into a Command
```bash
authy run --scope <policy> --uppercase --replace-dash '_' -- <command> [args...]
```
The `--uppercase --replace-dash '_'` flags turn secret names like `db-host` into env vars like `DB_HOST`.
Examples:
```bash
authy run --scope deploy --uppercase --replace-dash '_' -- ./deploy.sh
authy run --scope backend --uppercase --replace-dash '_' -- node server.js
authy run --scope testing --uppercase --replace-dash '_' -- pytest
```
## Discover Secret Names
```bash
authy list --scope <policy> --json
```
Output: `{"secrets":[{"name":"db-host","version":1,...}]}`
## Write Scripts That Use Secrets
Write code that reads environment variables, then run it with `authy run`:
```bash
cat > task.sh << 'EOF'
#!/bin/bash
curl -H "Authorization: Bearer $API_KEY" https://api.example.com/data
EOF
chmod +x task.sh
authy run --scope my-scope --uppercase --replace-dash '_' -- ./task.sh
```
## Error Codes
| Code | Meaning |
|------|---------|
| 0 | Success |
| 2 | Auth failed — check AUTHY_TOKEN / AUTHY_KEYFILE |
| 3 | Secret or policy not found |
| 4 | Access denied or run-only restriction |
| 6 | Token invalid, expired, or revoked |
## Rules
1. **Only use `authy run` and `authy list`** — these are the only commands available to you
2. **Never hardcode credentials** — reference env vars, run via `authy run`
3. **Never echo, print, or log env vars** in subprocess scripts — secrets exist in memory only
4. **Never redirect env vars to files** — do not write `$SECRET` to disk
5. **Use `--scope`** to limit access to needed secrets only