Mema Vault
v1.1.9Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys,...
⭐ 0· 678·1 current·1 all-time
byazzar budiyanto@1999azzar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is a local vault and only requests a single environment variable (MEMA_VAULT_MASTER_KEY), which aligns with the stated purpose. Minor inconsistency: documentation claims "AES-256-CBC (via Python `cryptography` Fernet)", but Fernet's specification and common implementations do not match a plain "AES-256-CBC" claim — this is a wording/accuracy issue in the README, not evidence of hidden functionality.
Instruction Scope
SKILL.md instructs the agent to run the included CLI script and to install the `cryptography` package. Runtime behavior in the script is limited to reading MEMA_VAULT_MASTER_KEY, creating/reading data/salt.bin and data/vault.db in the workspace, and printing masked output by default. The only potentially surprising behaviors are (1) the `get` command uses a SQL LIKE (%...%) query (could return partial matches), (2) the --show flag prints raw secrets to console when used, and (3) audit information is written to console rather than a structured log — all of which are documented or obvious in the script.
Install Mechanism
No global install spec was recorded in the registry manifest, but SKILL.md includes metadata to run `pip install cryptography`. Installing from PyPI is a standard, low-to-moderate risk action. There are no downloads from arbitrary URLs or archive extraction steps.
Credentials
Only MEMA_VAULT_MASTER_KEY is required, which is appropriate for a local vault. The script does not request unrelated credentials or external service keys.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does persist an encrypted SQLite DB and a salt file under data/ in the workspace; users should be aware these files remain on disk and protect workspace storage and backups accordingly.
Assessment
This skill appears to be what it claims: a local, master-key protected vault. Before installing, do the following: 1) Validate the Master Key is injected securely (prefer process-scoped secrets or an agent-managed secret store rather than a long-lived system-wide env var). 2) Review and accept that the vault stores an encrypted SQLite DB and salt at data/ in the workspace — protect those files and backups. 3) Be careful with the `--show` flag (it prints raw secrets to console). 4) Note the SKILL.md/ security-policy wording about "AES-256-CBC" is misleading; if you require a specific cryptographic guarantee, review the cryptography usage and parameters yourself. 5) Confirm you are comfortable installing the `cryptography` PyPI package in the agent runtime environment.Like a lobster shell, security has layers — review code before you run it.
aes-256vk97byr633bfgqewbje6a9fj69d8192jkencryptionvk97byr633bfgqewbje6a9fj69d8192jklatestvk97byr633bfgqewbje6a9fj69d8192jksecretsvk97byr633bfgqewbje6a9fj69d8192jksecurityvk97byr633bfgqewbje6a9fj69d8192jkvaultvk97byr633bfgqewbje6a9fj69d8192jk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvMEMA_VAULT_MASTER_KEY