AI Agents

Use AI coding agents with Keeper to retrieve secrets, manage vaults, and run admin workflows from the terminal. Credentials stay out of chat and source control.

GitHub: github.com/Keeper-Security/keeper-agent-kit

Overview

Keeper supports two integration models for AI agents: skills/plugins for CLI-driven developer workflows, and MCP servers for agent orchestration platforms. This page covers the Keeper Agent Kit, a set of skills (also called plugins) that teach AI coding agents how to use Keeper's CLI tools.

After installation, your agent can:

• Retrieve and inject secrets with ksm (Keeper Secrets Manager CLI)

• Manage vaults, users, teams, and PAM resources with keeper (Commander CLI)

• Set up both CLIs from scratch if they aren't installed yet

Credentials never appear in chat or get committed to source control. The KSM CLI and Commander CLI resolve secrets at runtime. All access is subject to the same RBAC policies and audit logging as any other Keeper integration.

For the MCP-based approach see MCP for AI Agents (Docker).

What's Included

The Agent Kit contains three skills:

Prerequisites

You'll need:

• A Keeper Security account (Business or Enterprise)

• Python 3.10 or later

• macOS, Linux, or Windows

The KSM CLI and Commander CLI can be installed manually, or you can let the keeper-setup skill walk your agent through first-time setup.

Installation

Choose the guide that matches your setup:

All three methods install the same skills. Pick whichever fits your workflow.

Supported Agents

Quick Start

After installing, use your agent as usual. Skills activate based on context.

Inject a secret into your environment:

"Help me inject my database credentials from Keeper into my app's .env file"

The agent uses keeper-secrets to run ksm exec and pull the secret in without showing it in chat.

Set up KSM for the first time:

"I need to configure Keeper Secrets Manager on this machine"

The agent uses keeper-setup to walk you through CLI installation, profile creation, and token setup.

Look up a user in your Keeper enterprise:

"List all users on the Engineering team in Keeper"

The agent uses keeper-admin to run the right Commander command.

For more examples, see our sample Test Prompts in the repo.

How It Works

Skills are markdown files (SKILL.md) that tell your AI agent how to use a CLI tool. They're not executable code. Each skill documents commands, flags, and error-handling patterns. When you ask a question, the agent reads the relevant skill and builds the right CLI commands from it.

Security model: The agent runs CLI commands on your local machine using your authenticated session. Secrets are resolved by the KSM and Commander CLIs at runtime, not pasted into chat. Standard Keeper RBAC policies and audit logging apply.

Skills vs. MCP

Keeper supports two ways to connect AI agents. You can use both in the same environment.

Troubleshooting

Agent doesn't pick up the skill Check that the skill files landed in the correct directory for your agent. Restart your agent session after installing. In Claude Code, run /plugin and check the Installed tab.

ksm or keeper command not found The CLI tools need to be installed separately. Ask your agent "Help me install KSM CLI" and the keeper-setup skill will handle the rest.

Permission denied when running CLI commands Make sure your KSM profile or Commander session has the right permissions. Keeper's RBAC policies apply to all CLI access. Talk to your Keeper admin if you need additional role assignments.

Skills installed globally but not loading in a project Some agents prioritize project-level skills over global ones. If a project has its own skills directory, global skills may be hidden. Check with npx skills list or /plugin in Claude Code.

Resources

• GitHub: Keeper-Security/keeper-agent-kit

• KSM CLI Docs: Secrets Manager CLI

• Commander CLI Docs: Commander Overview

• Keeper Notation: keeper:// URI references

• Issues & Features: GitHub Issues

• Support: keepersecurity.com/support