ClawHub

Vault

Secure local password storage tool with AES-256-GCM encryption. Store, retrieve, and manage passwords with CLI commands.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 769 · 4 current installs · 4 all-time installs
byzuiho@zuiho-kai
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node, npm), required env var (VAULT_MASTER_KEY), and bundled code all align with implementing a local Node-based password vault. Requested items are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs only to set a master key and use the CLI; the runtime code only reads the plugin config, the VAULT_MASTER_KEY env var, and a storage file under the user's home directory. There are no instructions to read unrelated files, query external endpoints, or exfiltrate data.
Install Mechanism
No install script or external downloads are declared; package has no external dependencies. The skill is instruction + bundled source only, which is the lowest install risk profile.
Credentials
Only VAULT_MASTER_KEY is required (declared in both SKILL.md and openclaw.plugin.json). No additional unrelated secrets or config paths are requested. Note: storing masterKey in a persistent config would persist a secret—SKILL.md explicitly shows this option.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent settings. It registers itself via the normal API and does not request elevated or persistent platform privileges.
Assessment
This plugin appears to implement what it claims: a local AES-256-GCM encrypted vault. Before installing, consider the following: - Keep the master key secret and do not commit it to source control; if you place it in the OpenClaw config file that config will contain a persistent secret. - The vault stores encrypted data at ~/.vault/passwords.json by default—set strict file permissions (chmod 600) and add the directory to .gitignore. - Backup your master key; losing it will make stored passwords unrecoverable. - The code runs locally and contains no network calls, but only install if you trust the plugin source (verify the GitHub repo and author). For high-value secrets, prefer a well-audited password manager or cryptographic audit.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.2
Download zip
latestvk97da11fwdhmq8vfrx47cbhs5n818462

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm
EnvVAULT_MASTER_KEY

SKILL.md

vault

Use when you need secure local storage for passwords, API keys, or credentials.

🔒 AES-256-GCM encryption - This plugin stores passwords encrypted using industry-standard AES-256-GCM encryption with a master key.

Features

  • 🔒 AES-256-GCM encryption for all stored passwords
  • 📝 Simple command-line interface
  • 🗂️ Key management and listing
  • 💾 JSON-based local storage (encrypted)
  • 🕐 Automatic timestamp tracking
  • 🔑 Master key protection

Installation

clawhub install vault

Usage

Set a password

vault gemini sk-abc123xyz

Show a password

vault gemini show

Remove a password

vault gemini remove

List all keys

vault list

Configuration

Master Key (Required)

Set your master encryption key via environment variable:

export VAULT_MASTER_KEY="your-secure-master-key-here"

Or in your OpenClaw config:

{
  "plugins": {
    "vault": {
      "masterKey": "your-secure-master-key-here",
      "storageFile": ".vault/passwords.json"
    }
  }
}

Options:

  • masterKey - Master encryption key (can also use VAULT_MASTER_KEY env var)
  • storageFile (default: .vault/passwords.json) - Storage file path relative to home directory

⚠️ Important: Keep your master key secure! Without it, you cannot decrypt stored passwords.

Security

🔒 Encryption Details:

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Derivation: scrypt with random salt per password
  • IV: Random 12-byte initialization vector per password (GCM recommended size)
  • Salt: Random 32-byte salt per password, stored with encrypted data
  • Authentication: GCM authentication tag for integrity verification

Security Best Practices:

  • Use a strong, unique master key (minimum 32 characters recommended)
  • Store master key securely (environment variable or secure config)
  • Set strict file permissions: chmod 600 ~/.vault/passwords.json
  • Add .vault/ to your .gitignore
  • Never commit your master key to version control
  • Use system-level disk encryption for additional protection
  • Backup your master key securely - lost keys mean lost passwords

Suitable for:

  • Development/testing credentials
  • API keys and tokens
  • Personal passwords
  • Team shared credentials (with secure key distribution)

Examples

# Save API keys
vault openai sk-proj-abc123
vault anthropic sk-ant-xyz789

# View a key
vault openai show
# Output: Password for 'openai': sk-proj-abc123

# List all keys
vault list
# Output:
# Stored passwords:
# • openai (created: 2026-02-17T..., updated: 2026-02-17T...)
# • anthropic (created: 2026-02-17T..., updated: 2026-02-17T...)

# Remove a key
vault openai remove

Links

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…