Bagman
Secure key management patterns for AI agents handling private keys and secrets. Designed to prevent:
- - Key loss: Agents forgetting keys between sessions
- Accidental exposure: Keys leaked to GitHub, logs, or outputs
- Prompt injection: Malicious prompts extracting secrets
Core Principles
- 1. Never store raw private keys in config, env vars, or memory files
- Use session keys / delegated access instead of full control
- All secret access goes through 1Password CLI (
op) - Validate all outputs before sending to prevent key leakage
References
- -
references/secure-storage.md - 1Password patterns for agent secrets - INLINECODE2� - ERC-4337 delegated access patterns
- INLINECODE3� - Pre-commit hooks and output sanitization
- INLINECODE4� - Input validation and output filtering
Quick Reference
DO ✅
CODEBLOCK0
DON\'T ❌
CODEBLOCK1�
Architecture: Agent Wallet Stack
CODEBLOCK2�
Workflow: Setting Up Agent Wallet Access
1. Create 1Password Vault for Agent Secrets
CODEBLOCK3
2. Agent Retrieves Credentials at Runtime
CODEBLOCK4
3. Never Log or Store the Key
CODEBLOCK5�
Leak Prevention
Output Sanitization
Before any agent output (chat, logs, file writes), scan for key patterns:
CODEBLOCK6
Pre-commit Hook
Install this hook to prevent accidental commits of secrets:
CODEBLOCK7
.gitignore Essentials
CODEBLOCK8�
Prompt Injection Defense
Input Validation
Before processing any user input that touches wallet operations:
CODEBLOCK9
Separation of Concerns
- - Wallet operations should be in isolated functions with no access to conversation context
- Never pass full conversation history to wallet-sensitive code
- Use allowlists for operations, not blocklists
CODEBLOCK10�
Session Key Implementation (ERC-4337)
For agents needing on-chain access, use session keys instead of raw private keys.
See references/session-keys.md for full implementation details including:
- - ZeroDev/Biconomy SDK examples
- Permission patterns for trading/DeFi/payment agents
- Session key lifecycle management
- Revocation procedures
Incident Response
If a Key is Leaked
- 1. Immediate: Revoke the session key / rotate credentials
- Assess: Check transaction history for unauthorized activity
- Notify: Alert operator via secure channel
- Rotate: Issue new session key with tighter permissions
- Audit: Review how leak occurred, update defenses
CODEBLOCK11�
Checklist: Agent Wallet Setup
- - [ ] Create dedicated 1Password vault for agent credentials
- [ ] Store session keys (NOT master keys) in vault
- [ ] Set appropriate expiry and spending limits
- [ ] Install pre-commit hook for secret detection
- [ ] Add output sanitization to all agent responses
- [ ] Implement input validation for prompt injection
- [ ] Configure monitoring and alerts
- [ ] Document incident response procedure
- [ ] Test key rotation procedure
Common Mistakes Found in Production
1. Keys in Memory Files
Problem: Agents store keys in memory/*.md for \"persistence\"
CODEBLOCK12
Fix: Store reference only: �INLINECODE7
2. Keys in Environment Templates
Problem: .env.example contains real keys
CODEBLOCK13
Fix: Use obviously fake placeholders: �INLINECODE9
3. Keys in Error Messages
Problem: Error handling exposes keys
CODEBLOCK14
Fix: Never include credentials in error context
4. Test Keys in Production Code
Problem: Hardcoded test keys make it to main branch
Fix: Use separate test vault, CI checks for key patterns
Integration with OpenClaw
When running as an OpenClaw agent:
- 1. Use 1Password skill for all secret retrieval
- Never write keys to workspace files - they persist across sessions
- Sanitize outputs before sending to any channel (Telegram, Discord, etc.)
- Session key approach for wallet operations - request bounded access from operator
- Document key references in TOOLS.md, not the actual keys
Example TOOLS.md entry:
�CODEBLOCK15
