1Claw Vault
Fetch production secrets just-in-time from an HSM-backed vault and scan prompts or content for injection threats before agents act on them.
Overview
io.github.1clawAI/1claw-mcp is a MCP server for the Ship phase that provides HSM-backed just-in-time vault secrets and prompt-injection threat scanning for AI agents.
What is this MCP server?
- JIT secret retrieval from HSM-backed 1Claw Vault via npm @1claw/mcp (v0.32.1)
- Agent API key (ocv_…) exchanged for short-lived JWT with auto agent/vault discovery
- Optional ONECLAW_LOCAL_ONLY mode: inspect_content only, no vault credentials
- Environment pins for ONECLAW_AGENT_ID, ONECLAW_VAULT_ID, ONECLAW_BASE_URL
- Prompt-injection and broader threat scanning for agent pipelines
- Package version 0.32.1
- npm identifier @1claw/mcp
- Default API base https://api.1claw.xyz
Community signal: 2 GitHub stars.
What problem does it solve?
Agents often inherit static secrets and untrusted user content in one context, which invites leakage and injection attacks right before you ship automations.
Who is it for?
Indie builders running Claude Code or Cursor agents against production APIs who want vault-backed JIT credentials plus inline injection screening.
Skip if: Builders with no secret management budget or those who only need static .env files without threat inspection features.
What do I get? / Deliverables
After configuring @1claw/mcp, agents pull short-lived vault secrets on demand and can run inspect_content checks without you embedding long-term keys in prompts.
- Just-in-time secret reads from configured 1Claw vaults
- Threat and prompt-injection inspection results on supplied content
- Documented env-based wiring for multi-vault and custom base URL
Recommended MCP Servers
Journey fit
Ship-phase security is where agents meet real credentials and untrusted text; vault JIT access and injection scanning belong on the path to safe deployment. Security subphase captures secret hygiene and threat inspection—not generic backend CRUD—matching 1Claw Vault’s HSM storage and inspect_content controls.
How it compares
HSM vault and agent threat-scan MCP, not a generic secrets linter skill or hosting panel.
Common Questions / FAQ
Who is io.github.1clawAI/1claw-mcp for?
Solo developers and small teams shipping agent workflows that must access real secrets safely and scan untrusted text for injection patterns.
When should I use io.github.1clawAI/1claw-mcp?
Use it during ship and security hardening when agents need production credentials and you want JIT vault access plus content inspection before automation goes live.
How do I add io.github.1clawAI/1claw-mcp to my agent?
Add stdio server @1claw/mcp via npm, set ONECLAW_AGENT_API_KEY (ocv_…), optionally ONECLAW_VAULT_ID and ONECLAW_BASE_URL, and enable ONECLAW_LOCAL_ONLY if you only need inspect_content.