Mema Vault
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that obtains the master key and vault files may be able to decrypt stored secrets.
The vault depends on a master key that can unlock stored credentials. This is purpose-aligned, but it is sensitive authority that users must protect.
Master Key: Must be set as an environment variable `MEMA_VAULT_MASTER_KEY`.
Use a strong, unique master key and avoid storing it in shared shell profiles, logs, or project files.
A password meant to be protected by the vault could be exposed before it is encrypted or when retrieved with --show.
The implementation accepts the secret as a command-line argument and can print the raw decrypted password. In agent/tool contexts, command arguments and stdout may be captured in transcripts, shell history, logs, or process listings.
add_p.add_argument("password") ... print(f"Pass: {dec_pass if show else masked}")Do not pass real secrets as command-line arguments. Prefer an interactive prompt, stdin, or another non-logged secret input path, and require explicit user approval before using --show.
Users may trust the vault for more protection or functionality than the included implementation actually provides.
The documentation makes strong security and feature claims. The provided script exposes set/get/list commands only and does not show a rotation workflow; the AES-256/Fernet wording is also stronger than the implementation clearly demonstrates.
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets...
Correct the documentation to match the code, implement and document rotation if intended, and describe the exact cryptographic construction accurately.
The installed dependency version may vary between environments.
Installing cryptography is expected for this vault, but the package is unpinned and the registry says there is no install spec, which leaves some provenance and reproducibility ambiguity.
"install":[{"id":"pip","kind":"exec","command":"pip install cryptography"}]Pin the dependency version and keep registry install metadata consistent with the skill metadata.