Credential Vault

The skill's stated purpose (a local credential vault that injects secrets into subprocesses) is plausible and mostly consistent with its requirements, but important details are missing and installing the npm plugin (which is not included in the skill bundle) and letting it register OpenClaw hooks are material risks you should review before installing.

This skill appears to implement a reasonable local credential vault, but the package you would install is not included in the skill bundle so you cannot audit it here. Before installing: (1) review the GitHub repository and the npm package contents (src/hooks, key-derivation code, scrubbing code, and tests) and confirm the publisher and package integrity (checksums/signatures); (2) verify exactly how the encryption key is derived and where any secrets are stored; (3) consider running the plugin in a controlled/test environment first (it requires restarting the gateway and registers hooks with broad ability to inject and see subprocess I/O); (4) beware that scrubbing can fail — check the audit.log and test injection/scrubbing thoroughly for your tools; (5) prefer installing from a vetted source or building from the reviewed source rather than blindly running npm install -g. If you cannot review the package source or confirm the publisher, treat installation as high risk.