Stats
Actions
Available In
Tags
Plugin
cloak
Use secrets (API keys, tokens, passwords, private keys) in Claude Code without ever exposing the plaintext to the model. Hand a secret over by typing it in chat; a hook intercepts it and the model only ever works with an opaque handle.
What's Inside
README
cloak
A Claude Code skill that lets Claude use your secrets (API keys, tokens, passwords, private keys) without ever reading them.
You hand a secret over by typing it into the Claude Code chat box. A hook
intercepts it before it reaches the model, so the plaintext never lands in the
conversation, the context window, or the transcript. From then on Claude works
only with an opaque handle like {{secret:openai_api_key}}; the real value is
substituted outside the model's view, at the moment a command runs, and scrubbed
from any output that comes back.
Why
A task may need a sensitive value, but putting that plaintext in front of the
model is a leak risk — it can be echoed back, logged, or stored in transcripts.
cloak keeps the value outside the model while still letting Claude
invoke operations that depend on it.
Install
cloak is a Claude Code plugin. Install it from this repo's marketplace,
inside Claude Code:
/plugin marketplace add Yewandou7/cloak
/plugin install cloak
That's it — no clone, no curl | bash, no PATH editing. Installing the plugin
registers the two hooks (chat capture + no-read guard), puts the cloak
command on the Bash PATH, and makes the skill discoverable. Restart Claude Code
if prompted.
Use
1. Give Claude a secret — type this on its own line in the chat box:
secret-set openai_api_key sk-realkey...
The hook stores it and blocks the message, so Claude only sees a receipt naming the handle — never the value.
2. Let Claude use it — Claude references the handle and runs the command through the resolver:
cloak run -- curl -H "Authorization: Bearer {{secret:openai_api_key}}" \
https://api.openai.com/v1/models
The key is injected only into the child process; the output Claude sees has the
value replaced with ***.
Or inject it as an environment variable instead of inlining it:
cloak run --secret openai_api_key -- \
bash -c 'curl -H "Authorization: Bearer $CLOAK_OPENAI_API_KEY" URL'
Manage
cloak list # show handle names only (never values)
cloak rm openai_api_key # remove a handle
Secrets persist in ~/.claude/cloak/store.json (mode 0600) across
sessions and restarts, until you remove them.
How it works
| Piece | Role |
|---|---|
hooks/capture_secret.py | UserPromptSubmit hook — intercepts a secret-set line in chat, stores it, blocks the message so the plaintext is erased from model context and transcript. |
bin/cloak | Resolver — list, run (resolve {{secret:NAME}} and redact output), plus low-level set/rm. The plugin auto-adds it to the Bash PATH. |
hooks/deny_store_access.py | PreToolUse hook — blocks the model from reading the store or expanding $CLOAK_* outside cloak run. |
hooks/hooks.json | Registers both hooks when the plugin is installed. |
Run the end-to-end proof:
bash tests/e2e.sh
Security notes
- The store is base64, not encrypted. base64 only stops casual
cat/grep; anyone who can read the file and runbase64 -dcan recover the value. What actually stops Claude from reading it is the PreToolUse hook plus file permissions — not encryption. For encryption at rest, back the store with a real secret manager (1Password,pass, age); that backend is not included here. - The guard hooks are registered by the plugin, so they apply wherever the plugin is enabled.
- Never commit a real secret. The store lives in
~/.claude, outside the repo.
License
MIT
Stats
Version0.1.0
LanguagePython
Stars1
MaintenanceExcellent
LicenseMIT
Last Commit
Added
Available In
Safety Signals
Caution
Executes bash commands
Hook triggers when Bash tool is used
Tags
Categories
