Skillget

cloak

mcp
Security Audit
Fail
Health Warn
  • License — License: Apache-2.0
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 8 GitHub stars
Code Fail
  • rm -rf — Recursive force deletion command in .github/workflows/release-install.yml
  • rm -rf — Recursive force deletion command in .github/workflows/release.yml
Permissions Pass
  • Permissions — No dangerous permissions requested

No AI report is available for this listing yet.

SUMMARY

Local vault for AI agents. Use API keys without exposing raw stored keys to the model.

README.md

Cloak

A local vault that lets AI agents use your API keys without seeing the stored key.

CI SLSA L3 Apache-2.0

Give an AI agent an API key and you've handed it to the model, its logs, and whoever runs the model. If the agent gets prompt-injected, the key walks out with it.

Cloak keeps your keys in an encrypted vault on your machine. The agent never receives the stored key. It asks Cloak to do the thing the key is for, and gets back only the result.

  • No read_secret tool. The model can list metadata, sign, proxy, and mint. It cannot read a stored value.
  • Local only. No account, no cloud, no telemetry.
  • Allowlisted by default. An agent reaches a host only if you approved it for that key.
  • Signed releases. Stable artifacts are macOS-notarized, cosign-signed, and SLSA L3-attested.

Example

You: What PRs am I being asked to review?

Claude: (calls proxy_authenticated_http_request on api.github.com; Cloak attaches your GITHUB_TOKEN and runs the request)

You have 3 open review requests:

  • acmecorp/api#412  cache layer for /v1/users
  • acmecorp/worker#198  race in graceful shutdown
  • acmecorp/sdk-js#67  clarify rate-limit headers

Claude got the answer. It never got the stored token.

Install

macOS (arm64/x64) and Linux (x64 glibc):

brew install cloakward/cloak/cloak
cloak setup

cloak setup walks you through creating the vault, starting the daemon, and registering the AI clients it finds installed. Claude Desktop, Claude Code, Cursor, Windsurf, Zed, Continue.dev, and Codex are all supported.

Add your first key:

cloak add OPENAI_API_KEY
cloak unlock

Before an agent can call an API, you allowlist the host for that key. The quickstart covers that, plus Linux, Docker, and the Claude Desktop extension.

How it works

Cloak is three pieces:

  • cloak: the CLI you use to add and manage secrets.
  • cloakd: a local daemon that holds the keys and does the privileged work.
  • cloak-mcp: the MCP server your AI client connects to.

Your agent calls a tool on cloak-mcp. cloakd checks your policy, attaches the secret only for the allowed upstream request, and returns the result. The stored key never reaches the agent or model.

What it protects, and what it doesn't

Cloak stops your long-lived key from leaking. It does not make a hijacked agent safe to ignore:

  • mint_short_lived_token hands the agent a scoped, expiring token on purpose.
  • proxy_authenticated_http_request returns the API's response to the agent.
  • An agent can still misuse the access you granted on an allowlisted host.

Cloak is built for a single-user machine. Root, a compromised build host, or a user who pipes their own secrets out are out of scope. The full threat model spells out the rest.

Documentation

License

Apache-2.0. See LICENSE.

Reviews (0)

No results found