credentials
Credentials Skill
Manages arbitrary named secrets — API keys, tokens, passwords, URLs — encrypted at rest using AES-256-GCM with per-credential PBKDF2 key derivation. Values are stored as encrypted blobs in ~/.aibtc/credentials.json; only identifiers, labels, categories, and timestamps are stored in plaintext. No wallet is required — the credential store uses its own master password independent of the wallet system.
Usage
bun run credentials/credentials.ts <subcommand> [options]
Subcommands
add
Add a new credential or update an existing one. The value is encrypted with AES-256-GCM using a key derived from the master password via PBKDF2 (100,000 iterations, per-credential salt).
bun run credentials/credentials.ts add --id <id> --value <value> --password <pass> [--label <text>] [--category <cat>]
Options:
--id(required) — Normalized credential identifier (e.g.hiro-api-key,openrouter-token)--value(required) — Plaintext secret value (sensitive — not stored)--password(required) — Master password for encryption (sensitive)--label(optional) — Human-readable label (default: same as id)--category(optional) — Category tag such asapi-key,token,url, orsecret(default:secret)
Output:
{
"success": true,
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
get
Decrypt and return a credential value. The plaintext value appears in the output — handle with care.
bun run credentials/credentials.ts get --id <id> --password <pass>
Options:
--id(required) — Credential identifier--password(required) — Master password for decryption (sensitive)
Output:
{
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"value": "hiro_api_key_xxxxxxxxxxxxxxxx",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
Tip: Extract the value in scripts with
$(bun run credentials/credentials.ts get --id hiro-api-key --password $CRED_PASS | jq -r .value)
list
List all credential identifiers and metadata. No decryption is performed and no secret values are returned.
bun run credentials/credentials.ts list
Output:
{
"count": 2,
"credentials": [
{
"id": "hiro-api-key",
"label": "Hiro API Key",
"category": "api-key",
"createdAt": "2026-01-01T00:00:00.000Z",
"updatedAt": "2026-01-01T00:00:00.000Z"
}
]
}
delete
Permanently delete a credential. Requires the master password (to verify ownership) and an explicit confirmation string.
bun run credentials/credentials.ts delete --id <id> --password <pass> --confirm DELETE
Options:
--id(required) — Credential identifier to delete--password(required) — Master password for verification (sensitive)--confirm(required) — Must be exactlyDELETE
Output:
{
"success": true,
"deleted": "hiro-api-key",
"message": "Credential \"hiro-api-key\" has been permanently deleted."
}
rotate-password
Change the master password by atomically re-encrypting all credentials. Decrypts every credential with the old password and re-encrypts with the new one. If any credential fails to decrypt, the operation is aborted before any changes are written.
bun run credentials/credentials.ts rotate-password --old-password <pass> --new-password <pass>
Options:
--old-password(required) — Current master password (sensitive)--new-password(required, min 8 chars) — New master password (sensitive)
Output:
{
"success": true,
"message": "Password rotated. 3 credentials re-encrypted.",
"count": 3
}
Security Notes
- Credentials are AES-256-GCM encrypted with a unique salt and IV per credential — a compromised credential does not weaken others
- PBKDF2-SHA256 with 100,000 iterations makes brute-force attacks expensive
- The master password is never written to disk — pass it via
--passwordflag or environment variable substitution ~/.aibtc/credentials.jsonis written with mode 0o600 (owner read/write only)- The credential store is independent of the wallet system — a separate master password is recommended
deleteandrotate-passwordverify the password by decrypting before mutating the store
More from aibtcdev/skills
arxiv-research
Fetch and compile arXiv papers on LLMs, autonomous agents, and AI infrastructure into scored, grouped research digests. Stores digests at ~/.aibtc/arxiv-research/digests/. No API key required.
178aibtc-news
aibtc.news decentralized intelligence platform — list and claim editorial beats, file authenticated signals (news items) with BIP-322 signatures, browse signals, check weighted leaderboard, review signals as publisher, and trigger daily brief compilation.
166aibtc-news-correspondent
Correspondent for aibtc.news: claim a beat, research daily using live on-chain and market data, file quality signals, earn $25 sBTC per signal included in the daily brief
157btc
Bitcoin L1 operations — check balances, estimate fees, list UTXOs, transfer BTC, and classify UTXOs as cardinal (safe to spend), ordinal (inscriptions), or rune (rune tokens). Data sourced from mempool.space and the Unisat API.
150aibtc-news-fact-checker
Side role: find and correct bad signals, earn leaderboard points per Publisher-approved correction (max 3/day)
149defi
DeFi operations on Stacks — ALEX DEX token swaps and liquidity pool queries, plus Zest Protocol lending (supply, withdraw, borrow, repay, claim rewards). All operations are mainnet-only. Write operations require an unlocked wallet.
148