X1 Vault Memory
v0.1.10Backup and restore OpenClaw agent memory to IPFS with AES-256-GCM encryption and X1 blockchain CID anchoring
⭐ 0· 608·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (IPFS + AES-256-GCM + X1 anchoring) aligns with the code: archive workspace files, encrypt with AES-256-GCM (key derived from local wallet.json secretKey), upload to Pinata, and submit a signed transaction to an X1 RPC. However the registry summary at the top of the package info (which lists no required env vars or config paths) contradicts SKILL.md and package.json which explicitly require PINATA_JWT and x1_vault_cli/wallet.json. That metadata mismatch is likely a packaging/registration oversight but should be corrected/verified.
Instruction Scope
Runtime instructions and code act on agent workspace files (IDENTITY.md, SOUL.md, USER.md, TOOLS.md, memory/) and use Pinata and an X1 RPC. Heartbeat auto-restore is opt-in (cron example provided) and the code validates CIDs and checksums. Heartbeat invokes restore via execFileSync('node', ...), which is expected for this tool but means the skill will run local commands if you schedule it—confirm you only enable cron if you trust the code.
Install Mechanism
No remote 'curl|sh' or arbitrary URL downloads; dependencies are normal npm packages declared in package.json and lockfile. The install is npm install (node modules from public registries). That is standard but remember npm packages have their own supply-chain risk—review dependencies if you require high assurance.
Credentials
The only required secret is PINATA_JWT (Pinata pinFileToIPFS) and a local wallet keypair file (x1_vault_cli/wallet.json). Both are sensitive but justified by the functionality: Pinata auth for uploads and the private key for encryption/signing. Ensure the Pinata key is scoped/minimal and the wallet is a dedicated wallet (the project advises this).
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide settings. It requires a local wallet file and environment variable but does not attempt to persist itself beyond normal files in the workspace.
What to consider before installing
This skill appears to implement the advertised backup/restore pipeline, but review these points before installing:
- Metadata mismatch: the registry summary said no required envs/configs, but SKILL.md and package.json do require PINATA_JWT and x1_vault_cli/wallet.json. Verify the package metadata and that you provide only intended secrets.
- Sensitive secrets: the skill needs a wallet.json (private key) and a Pinata JWT. Use a dedicated, low-value wallet and create a Pinata JWT scoped to pinFileToIPFS only; keep both off version control and rotate/revoke tokens if compromised.
- X1 anchoring: the anchoring code reuses @solana/web3.js and Solana memo program IDs; confirm that the X1 RPC and on-chain memo behavior are compatible in your environment (test on a testnet or a disposable wallet first). If anchoring fails, the backup still stays on IPFS but won't be recorded on-chain.
- Cron/heartbeat: the heartbeat auto-restore is opt-in. Do not enable cron/auto-restore unless you trust the code and want automatic restores that execute local commands.
- Dependency risk: npm install pulls many packages. If you require higher assurance, audit dependencies or run in an isolated container/VM.
If you trust the author and the code after these checks, the skill is coherent with its stated purpose. If anything feels off (unknown source, unexpected metadata), test in an isolated environment or refrain from installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97avx9mm51cm6z6zeyhdv0c7981fmym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis