Your AI agent needs a Password Manager - Passwd

TL;DR

AI agents need credentials but should never see the raw values. passwd-mcp gives agents vault access via MCP — browse secrets, view metadata (redacted), generate TOTP codes.

When the agent also needs to use credentials, the path depends on the platform:

Cowork’s plugin bundles the agent CLI for exec --inject
Claude Code and other MCP clients can optionally add the agent CLI
OpenClaw resolves credentials at the gateway level via SecretRef

Raw values never enter the AI context window.

AI agents are no longer just answering questions. They’re deploying code, configuring infrastructure, onboarding teammates, and managing services. And every one of those workflows eventually hits the same wall: the agent needs a credential.

Today, most people solve this by pasting secrets into chat, hardcoding them in config files, or setting environment variables manually. This works until it doesn’t — and the consequences are real.

The credential problem in agentic workflows

When an AI agent like OpenClaw, Claude Code, or Cursor needs to interact with an external service, it needs authentication. A database password. An API key. An SSH key. A TOTP code.

Without a structured way to access these, teams end up in one of these situations:

Secrets pasted into agent prompts — now sitting in chat logs, context windows, and potentially in training data.
Hardcoded in .env files — scattered across machines, out of sync, and easy to accidentally commit.
Manually copied on demand — breaking the agent’s flow every time a credential is needed.

The recent wave of exposed OpenClaw instances made this painfully visible. Security researchers found over 1,800 deployments leaking API keys, chat histories, and account credentials to the open internet. The problem wasn’t OpenClaw itself — it was that developers gave agents broad access to credentials without proper tooling around it.

What agents actually need

AI agents don’t need to store secrets. They need to use them on demand, from a source of truth, with proper access controls — without ever seeing the raw values.

The key insight: any secret that enters an LLM’s context window should be treated as compromised. Context windows can be extracted via prompt injection, logged, cached, or used in training.

The safe pattern is for agents to reference credentials, while the actual values are injected out-of-band when needed.

That’s where MCP and the agent CLI come in.

MCP: a standard interface for AI tools

The Model Context Protocol (MCP) is an open standard that lets AI agents connect to external tools and data sources. It’s supported by Claude Code, OpenClaw, Cursor, Windsurf, and a growing number of AI clients.

An MCP server exposes a set of tools — like “search the vault” or “generate a TOTP code” — that any MCP-compatible agent can call. The agent discovers the tools automatically and uses them as part of its workflow.

MCP: a standard interface for AI tools

How this works with Passwd

Passwd provides four npm packages — a core library, an MCP server, an agent CLI, and a full CLI — designed around one principle:

Agents can use credentials without ever seeing the raw values.

With the MCP server, the agent can:

Browse and search the vault — “Find the production database credentials” without switching context.
Generate TOTP codes on the fly — the agent retrieves the current code and continues the workflow.
View credential metadata — names, types, tags, and URLs are visible, while sensitive fields are replaced with ••••••••.

With the optional agent CLI, the agent can also:

Use credentials without seeing them — via exec --inject, commands run with credentials injected as environment variables while stdout is masked. Raw values never enter the AI context.

The agent never stores secrets locally. Every request goes through the Passwd API over HTTPS using your existing account permissions.

Why MCP servers shouldn’t return raw passwords

This is the critical architectural decision.

MCP tools return data into the AI’s context window — and anything in that context can potentially be exfiltrated.

The OWASP MCP Top 10 ranks Token Mismanagement & Secret Exposure (#MCP01:2025) as the number one risk in MCP deployments.

Tool poisoning attacks can redirect agent behavior, and anything visible to the model becomes accessible to prompt injection.

Industry consensus is converging around the same principle:

Doppler: “Any secret that has touched a context window should be treated as compromised.”
1Password: “The AI agent and underlying LLM never need to see nor handle the credentials.”
OpenClaw RFC #9676: “The agent knows credentials exist but never sees their values.”

Passwd’s approach

The MCP server returns redacted values — sensitive fields are replaced with •••••••• at the code level.

When an agent also needs to use credentials, the mechanism depends on the platform:

Claude Code and other MCP clients can optionally add the agent CLI and run exec --inject.
Claude Cowork bundles the agent CLI in its plugin.
OpenClaw resolves credentials at the gateway level using SecretRef.

In all cases, the raw credential values never enter the AI context window.

Security model

passwd-mcp runs locally on your machine. The agent communicates directly with your Passwd instance — nothing passes through any third party.

The connection enforces HTTPS, and OAuth tokens are stored in the system keychain (for example, macOS Keychain).

The agent operates with your existing Passwd permissions. It can only access secrets you already have access to.

There is no privilege escalation and no additional attack surface.

Structural redaction

Credentials are replaced with •••••••• at the code level, not by policy.

Even if an agent is manipulated by prompt injection, the MCP server physically cannot return raw credential values.

The project is fully open source at:
https://github.com/pepuscz/passwd