Stats
Actions
Tags
From keeper-admin
Manage Keeper Vault, enterprise administration, PAM, and privileged access using Keeper Commander CLI (keeper). Use when the user needs to manage vault records interactively, run enterprise admin tasks (user/team/role management, SSO config, device approvals, compliance reporting), manage KSM Applications and Client Devices, configure password rotation, launch remote sessions (SSH, RDP, database), import/export data, or perform any administrative operation on Keeper. Also use when the user mentions 'keeper commander', 'keeper shell', 'keeper admin', asks about managing users/teams/roles/nodes in Keeper, needs to create KSM applications, or wants to automate Keeper admin tasks. If the user only needs to retrieve or inject secrets for an application, use the keeper-secrets skill instead.
How this skill is triggered — by the user, by Claude, or both
Slash command
/keeper-admin:keeper-adminThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Commander is Keeper's full-featured admin CLI and terminal UI. Everything
Commander is Keeper's full-featured admin CLI and terminal UI. Everything available in the Keeper Vault UI and Admin Console can be done via Commander. It authenticates as a user (not a machine application) and provides the full breadth of vault, enterprise, and PAM operations.
ksm uses; runtime secret injection belongs in the keeper-secrets skill| Need | Tool |
|---|---|
| Enterprise admin (users, teams, roles, nodes) | keeper |
| Create KSM Applications and Client Devices | keeper |
| Password rotation setup/management | keeper |
| Launch remote sessions (SSH, RDP, DB) | keeper |
| Import/export vault data | keeper |
| Interactive vault browsing | keeper |
| Run as REST API service | keeper |
| Compliance reporting and audit | keeper |
| Retrieve secrets for an app at runtime | Use ksm - see keeper-secrets skill |
| Inject secrets into env vars / config files | Use ksm - see keeper-secrets skill |
pip install keepercommanderCheck installation: keeper version
# Interactive login (preferred — credentials are not passed as CLI arguments)
keeper shell
# Prompts for email + master password + 2FA
# Persistent login (recommended for ongoing CLI use)
keeper shell
My Vault> this-device register
My Vault> this-device persistent-login ON
# Biometric authentication (supported platforms)
My Vault> biometric register
Do not pass master passwords, API tokens, or vault field values on the command
line (e.g. --password), in URLs, or in generated scripts—they appear in process
listings and shell history. For automation, use interactive setup once, enable
persistent device login where appropriate, or follow the official Commander CLI
documentation for supported non-interactive patterns.
My Vault> list # List records in current folder
My Vault> ls -l # Detailed listing with UIDs
My Vault> search "database" # Search across all records
My Vault> tree # Show folder tree
My Vault> cd "Shared Folder" # Navigate to folder
My Vault> get <RECORD_UID> # Show full record details
My Vault> add --record-type login --title "New Record" \
--field login=admin
# Set passwords and other sensitive fields via interactive prompts, or supply values only from the user’s secure input—never embed sample secrets in commands.
My Vault> edit <RECORD_UID>
# Or non-interactive field updates for non-secret fields only, e.g. --field login=newuser
My Vault> rm <RECORD_UID>
My Vault> record-history <RECORD_UID>
My Vault> share-record -e [email protected] -a grant -u <RECORD_UID>
My Vault> share-folder -e [email protected] -a grant -u <FOLDER_UID>
My Vault> import --format json records.json
My Vault> export --format json --output vault_export.json
These commands require enterprise admin privileges.
My Vault> enterprise-user --add [email protected]
My Vault> enterprise-user --invite [email protected]
My Vault> enterprise-user --delete [email protected]
My Vault> enterprise-user --lock [email protected]
My Vault> enterprise-user --unlock [email protected]
My Vault> enterprise-team --add "Engineering Team"
My Vault> enterprise-role --add-user [email protected] --role "Admin Role"
My Vault> enterprise-role --enforcement MASTER_PASSWORD_MINIMUM_LENGTH:12
My Vault> device-approve # List pending approvals
My Vault> device-approve --approve <DEVICE_ID>
My Vault> device-approve --deny <DEVICE_ID>
My Vault> audit-report --format csv --output audit.csv
My Vault> compliance-report
Commander is used to create and manage the KSM Applications and Client Devices that the KSM CLI connects through.
# Create an Application
My Vault> secrets-manager app create --name "Production App" \
--shared-folder <FOLDER_UID>
# List Applications
My Vault> secrets-manager app list
# Add a Client Device (generates One-Time Access Token)
My Vault> secrets-manager client add --app <APP_UID> \
--name "Web Server 1" --unlock-ip
# Remove a Client Device
My Vault> secrets-manager client remove --app <APP_UID> \
--client "Web Server 1"
# Share Application with another user
My Vault> secrets-manager share --app <APP_UID> --email [email protected]
The One-Time Access Token output from client add is configured on the target
machine using the keeper-setup skill (token via KSM_CLI_TOKEN or other
supported secure methods—not as a literal --token argument in shared
examples or chat).
# List PAM resources (gateways, connections)
My Vault> pam gateway list
My Vault> pam configuration list
# Launch SSH session
My Vault> connect <RECORD_UID>
# Manage password rotation
My Vault> pam rotation list
My Vault> pam rotation start --record <RECORD_UID>
Commander can run as a headless REST API for automation.
keeper --batch-mode api-server --port 8089
# Run commands from a file
keeper --batch-mode --commands-file commands.txt
# Pipe commands
echo "list" | keeper --batch-mode --user [email protected]
For detailed command reference, read references/commander-commands.md. For keeper:// URIs and ksm exec / ksm interpolate, see Keeper notation and the keeper-secrets skill.
npx claudepluginhub keeper-security/keeper-agent-kit --plugin keeper-adminImplements Delinea Secret Server for PAM including vault configuration, role-based access policies, automated password rotation, session recording, and Active Directory/cloud integration.
Deploys Delinea Secret Server for PAM with vault config, RBAC policies, password rotation, session recording, and Active Directory/cloud integrations. For privileged credential management.
Implements Delinea Secret Server for PAM with secret vault configuration, RBAC policies, automated password rotation, session recording, and Active Directory/cloud integrations. For PAM deployment and credential vaulting.