Mema Vault
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a local credential-vault skill with no network behavior, but it handles raw passwords through command-line arguments and makes stronger security claims than the implementation supports.
Install only if you are comfortable with a local, workspace-stored vault. Avoid entering real secrets as command-line arguments, protect MEMA_VAULT_MASTER_KEY carefully, and require explicit review before any use of --show. The author should update the documentation and input method before this is used for high-value credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that obtains the master key and vault files may be able to decrypt stored secrets.
The vault depends on a master key that can unlock stored credentials. This is purpose-aligned, but it is sensitive authority that users must protect.
Master Key: Must be set as an environment variable `MEMA_VAULT_MASTER_KEY`.
Use a strong, unique master key and avoid storing it in shared shell profiles, logs, or project files.
A password meant to be protected by the vault could be exposed before it is encrypted or when retrieved with --show.
The implementation accepts the secret as a command-line argument and can print the raw decrypted password. In agent/tool contexts, command arguments and stdout may be captured in transcripts, shell history, logs, or process listings.
add_p.add_argument("password") ... print(f"Pass: {dec_pass if show else masked}")Do not pass real secrets as command-line arguments. Prefer an interactive prompt, stdin, or another non-logged secret input path, and require explicit user approval before using --show.
Users may trust the vault for more protection or functionality than the included implementation actually provides.
The documentation makes strong security and feature claims. The provided script exposes set/get/list commands only and does not show a rotation workflow; the AES-256/Fernet wording is also stronger than the implementation clearly demonstrates.
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets...
Correct the documentation to match the code, implement and document rotation if intended, and describe the exact cryptographic construction accurately.
The installed dependency version may vary between environments.
Installing cryptography is expected for this vault, but the package is unpinned and the registry says there is no install spec, which leaves some provenance and reproducibility ambiguity.
"install":[{"id":"pip","kind":"exec","command":"pip install cryptography"}]Pin the dependency version and keep registry install metadata consistent with the skill metadata.