Mema Vault
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mema-vault Version: 1.1.9 The Mema Vault skill is a well-implemented local credential manager. It uses strong cryptographic practices (AES-256, PBKDF2HMAC with 480,000 iterations, random salt) and stores data securely within its workspace. It requires a master key from environment variables, employs parameterized SQLite queries to prevent SQL injection in `scripts/vault.py`, and masks sensitive output by default. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md. The dependencies and installation steps are legitimate for its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that obtains the master key and vault files may be able to decrypt stored secrets.
The vault depends on a master key that can unlock stored credentials. This is purpose-aligned, but it is sensitive authority that users must protect.
Master Key: Must be set as an environment variable `MEMA_VAULT_MASTER_KEY`.
Use a strong, unique master key and avoid storing it in shared shell profiles, logs, or project files.
A password meant to be protected by the vault could be exposed before it is encrypted or when retrieved with --show.
The implementation accepts the secret as a command-line argument and can print the raw decrypted password. In agent/tool contexts, command arguments and stdout may be captured in transcripts, shell history, logs, or process listings.
add_p.add_argument("password") ... print(f"Pass: {dec_pass if show else masked}")Do not pass real secrets as command-line arguments. Prefer an interactive prompt, stdin, or another non-logged secret input path, and require explicit user approval before using --show.
Users may trust the vault for more protection or functionality than the included implementation actually provides.
The documentation makes strong security and feature claims. The provided script exposes set/get/list commands only and does not show a rotation workflow; the AES-256/Fernet wording is also stronger than the implementation clearly demonstrates.
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets...
Correct the documentation to match the code, implement and document rotation if intended, and describe the exact cryptographic construction accurately.
The installed dependency version may vary between environments.
Installing cryptography is expected for this vault, but the package is unpinned and the registry says there is no install spec, which leaves some provenance and reproducibility ambiguity.
"install":[{"id":"pip","kind":"exec","command":"pip install cryptography"}]Pin the dependency version and keep registry install metadata consistent with the skill metadata.