vault-secrets

$npx mdskill add automateyournetwork/netclaw/vault-secrets

Securely manage HashiCorp Vault KV secrets with value protection

  • Solve tasks like reading, writing, and injecting secrets without exposing values
  • Uses Vault API via the vault-mcp server for secure secret operations
  • Enforces strict value protection by never displaying secret contents
  • Delivers metadata and injects secrets directly to integrations as needed

SKILL.md

.github/skills/vault-secretsView on GitHub ↗
---
name: vault-secrets
description: "Manage HashiCorp Vault KV secrets with strict value protection."
version: 1.0.0
license: Apache-2.0
author: netclaw
tags: []
---

# Vault Secrets Skill

Manage HashiCorp Vault KV secrets with strict value protection.

## Tools

| Tool | Description |
|------|-------------|
| `read_secret` | Read secret metadata (values NEVER displayed) |
| `write_secret` | Write secret to KV engine |
| `list_secrets` | List secrets in a path |
| `delete_secret` | Delete a secret |
| `get_secret_metadata` | Get secret version metadata |
| `inject_secret` | Inject secret value to integration |

## CRITICAL: Secret Value Protection

**Secret values are NEVER displayed in responses.** When reading secrets:
- Only metadata is shown (version, created time, etc.)
- Actual secret values are never logged or returned
- Use `inject_to` parameter to send secrets directly to integrations

## Example Queries

```
List secrets in the network-devices path

Read metadata for secret network-devices/router-creds

Inject router credentials to pyATS testbed

Write a new secret to network-devices/switch-01
```

## Prerequisites

- `VAULT_ADDR` Vault server address
- `VAULT_TOKEN` Authentication token with appropriate policy
- Optional: `VAULT_NAMESPACE` for Vault Enterprise

## Server

This skill uses the `vault-mcp` server which connects to Vault API.

More from automateyournetwork/netclaw

SkillDescription
aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology