Aquaman

Aquaman is a credential isolation proxy for OpenClaw Gateway that keeps API keys and channel tokens out of the agent process entirely. It runs as a separate sidecar process listening on a Unix domain socket, intercepting outbound API calls and injecting authentication headers from secure backends like macOS Keychain, 1Password, or HashiCorp Vault. Even if an agent is fully compromised through prompt injection or RCE, credentials are never exposed because they exist in a different address space. It ships as two npm packages: aquaman-proxy (the HTTP proxy daemon and CLI) and aquaman-plugin (the OpenClaw Gateway plugin that wires everything up automatically).