Agentvault
Security checks across malware telemetry and agentic risk
Overview
AgentVault is a coherent credential-vault skill, but it needs review because it can give agents access to stored secrets and MCP vault tools without a clearly stated confirmation rule for retrieving secret values.
Before installing, make sure you trust the @inflectiv-ai/agentvault npm package and audit it if possible. If you use it, set a firm rule that the agent must ask before retrieving any secret value, exporting vault data, using wallet/signing functions, or starting MCP access. Connect MCP only to trusted local tools and periodically review stored memory and audit logs.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent connected to the vault may be able to retrieve credentials or use secret-access tools in situations where the user expected approval first.
This directs the agent toward an MCP tool capable of retrieving stored secrets. The approval table shown in the artifact gates secret add/remove/import and exports, but it does not clearly require explicit user confirmation before reading a secret value.
If the AgentVault MCP server is already connected (check for `vault.secret.get`, `vault.memory.store` in available tools), **use the MCP tools directly**
Require explicit user confirmation for every secret-value read, MCP `vault.secret.get`, plaintext export, signing, wallet/private-key operation, and any use of credentials outside a user-specified task.
If MCP is connected to an untrusted or overly capable client, that client may be able to access vault functions intended only for trusted agent workflows.
The MCP server exposes sensitive vault, memory, export, and signing-related tools to connected clients. Starting the server is approval-gated, but the artifact does not describe authentication, client identity checks, or detailed access boundaries.
`agentvault mcp start` ... `--transport <type>` ... `--port <n>` ... **12 MCP tools:** `vault.secret.get`, `vault.secret.list`, `vault.memory.store`, ... `vault.export`, `vault.sign_x402`
Run the MCP server only for trusted local clients, prefer stdio/local-only use, review which tools are exposed, and verify AgentVault's profile and authentication behavior before storing valuable secrets.
Old, incorrect, sensitive, or maliciously framed memory entries could affect future agent responses if the agent over-trusts retrieved memory.
The skill intentionally reuses persistent stored memory across tasks. It says memory writes require approval, but queried memory can still influence later agent behavior.
Starting a new task → autonomously query memory to check for prior knowledge: `agentvault memory query "<topic>"`
Review stored memory periodically, approve memory writes deliberately, use TTLs/tags where possible, and treat retrieved memory as context to verify rather than as authoritative instructions.
The security of the vault depends on the npm package and its dependencies, not just this instruction file.
The actual vault implementation is obtained from npm rather than included in the scanned skill artifacts. The skill asks for approval and suggests auditing the tarball, which is appropriate, but the package code was not reviewed here.
`npm install -g @inflectiv-ai/agentvault` ... `npm pack @inflectiv-ai/agentvault` downloads the tarball without executing anything
Install only after verifying the npm package provenance, reviewing the tarball or source, and confirming the version you intend to trust.