Headless Vault CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No artifact-backed malicious behavior was found; this is a disclosed SSH note-vault tool, but it handles private notes and delegated access to a user’s computer.
Install only if you are comfortable giving the agent SSH-mediated access to your note vault. Verify the external vaultctl and forced-command wrapper, use a dedicated restricted SSH key, ensure the vault root is tightly scoped, keep backups of notes, and stop the reverse tunnel when you do not need remote note access.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can add new notes or append to existing notes when the skill is used.
The wrapper executes vaultctl over SSH and exposes create/append operations that can change files in the user’s vault. This matches the stated purpose, but it is still local file mutation authority.
run_vaultctl() { ssh $SSH_OPTS -p "$VAULT_SSH_PORT" "${VAULT_SSH_USER}@${VAULT_SSH_HOST}" vaultctl "$@"; } ... run_vaultctl create ... run_vaultctl appendUse this only for notes you want the agent to edit, keep backups, and ensure the remote vaultctl/forced-command setup really blocks delete, overwrite, and arbitrary shell commands.
If the SSH key or forced-command setup is misconfigured, access to the local machine could be broader than intended.
The skill relies on delegated SSH access from the bot/VPS to the user’s local machine. The intended forced-command restriction is clearly disclosed and purpose-aligned, but SSH access is sensitive.
The VPS SSH key is added to the local machine's `~/.ssh/authorized_keys` with a forced-command wrapper, so the VPS can ONLY execute `vaultctl`
Use a dedicated SSH key, configure the authorized_keys forced command exactly, and verify that the key cannot open an interactive shell or run unrelated commands.
The safety of the skill depends partly on code and setup steps outside the provided artifact bundle.
Core enforcement components, including vaultctl and the forced-command wrapper, are referenced as external setup items rather than included in the provided files. This is user-directed and coherent, but provenance should be checked.
Install vaultctl on the local machine (see setup instructions) ... Configure SSH forced-command ... `/usr/local/bin/vaultctl-wrapper`
Review the referenced vaultctl and wrapper source from the homepage before installing, and confirm it restricts paths to the intended vault.
Private note contents can be exposed to the agent during a read operation.
Reading a note places private Markdown content into the agent context. This is central to the skill, but note contents may include sensitive information or text that should not be treated as instructions.
`read` | Read note content ... Returns JSON: `{"path": "...", "content": "..."}`Ask the agent to read only notes you are comfortable sharing in the session, and treat instructions found inside notes as untrusted content unless you explicitly confirm them.