ClawHub

Anydef Enc

v2.1.1

Local-Only Agent Data Encryption. High-security MK->KEK->DEK hierarchy for local agent data.

0· 95·0 current·0 all-time
by@anydefai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anydefai/anydef-enc.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Anydef Enc" (anydefai/anydef-enc) from ClawHub.
Skill page: https://clawhub.ai/anydefai/anydef-enc
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install anydef-enc

ClawHub CLI

Package manager switcher

npx clawhub@latest install anydef-enc
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (local agent data encryption using MK->KEK->DEK) matches the included code and docs. Minor inconsistency: SKILL.md at one point says the Salt is stored "in your environment," but the implementation stores the Salt in window.storage. This is plausibly a documentation mismatch rather than malicious behavior, but you should confirm what "environment" means in your deployment.
Instruction Scope
Runtime instructions are narrowly scoped: derive MK from passphrase, manage KEK/DEKs, encrypt/decrypt scoped data. The code only reads/writes named keys in window.storage (prefixed with enc-...), and it does not perform network calls. Note: this relies on the platform's window.storage being a local, agent-scoped store — if that storage is global/shared or synced off-device, the "zero network" guarantee is weakened.
Install Mechanism
No install spec or remote downloads; the skill is instruction/code-only and does not pull external artifacts at runtime. That keeps the install risk low.
Credentials
The skill requests no environment variables or credentials and doesn't attempt to access external secrets. It does include support for encrypting 'api-keys' in its storage model, which is reasonable for a local vault. Confirm that storing encrypted API keys in window.storage meets your threat model and that the storage is isolated and not backed up or synced to external services.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It persistently stores Salt, wrapped KEK, and wrapped DEKs in window.storage (expected for a vault). It does not modify other skills' configs or request system-wide settings.
Assessment
This appears to be an internally consistent local encryption toolkit, but check these before installing: - Confirm what window.storage maps to in your OpenClaw environment: is it per-agent local-only storage or can it be read by other agents or synced to cloud backups? If it's shared/synced, the "zero network" and privacy claims are weakened. - Note the irreversible nature: if you lose the passphrase you will permanently lose access to encrypted data. Plan passphrase management/backups accordingly. - Verify the storage key naming and isolation policy on the platform so the skill cannot unintentionally access unrelated keys/data. - If you plan to store sensitive API keys in this vault, ensure you understand how those encrypted blobs are backed up or exported by the platform. - The docs/text have a small inconsistency about where Salt is stored—confirm documentation vs implementation alignment. If uncertain, have a reviewer with knowledge of your agent host confirm window.storage behavior and that no background sync or telemetry will leak vault data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739aas8snrtwmx8b6a1qvaph851dgm
95downloads
0stars
3versions
Updated 1w ago
v2.1.1
MIT-0
@anydefai
latest
Download

anydef-enc: Local Security Toolkit

This skill provides mandatory encryption for OpenClaw agents. It operates in Local Manual Mode, meaning no external network requests are made, and encryption keys are derived from a user passphrase.

Key Hierarchy

  1. Master Key (MK): Derived from your passphrase using PBKDF2 (100,000 iterations).
    • Persistence: A unique "Salt" is stored in your environment. As long as you remember your passphrase, the same Master Key will be generated across reboots.
  2. Key Encryption Key (KEK): Generated randomly and encrypted by your MK. Stored in window.storage.
  3. Data Encryption Keys (DEKs): Scoped keys (e.g., memory, assets) encrypted by the KEK and stored in window.storage.

Security Disclosure

  • Zero Network: This skill does NOT perform any external network requests. All crypto operations happen via standard Web APIs in your browser.
  • No Cleartext Keys: Keys are never stored in cleartext. They are always "wrapped" (encrypted) by a higher-level key.
  • Passphrase Obligation: You must provide your passphrase to "unlock" the vault after هر reboot or session expiry. If you forget your passphrase, existing encrypted data is lost forever.

Selective Encryption

Configure which scopes to protect in your settings:

  • history: Conversation logs.
  • memory: Agent's semantic memory.
  • assets: All uploaded files.

Usage

import { EncryptionService } from './encryption-service.js';

// Unlock once per session
await EncryptionService.unlock('your-passphrase');

// Use throughout the session
const secretData = await EncryptionService.encrypt('memory', 'Sensitive intelligence...');

Comments

Loading comments...