ClawHub

Vault

v1.1.2

Secure local password storage tool with AES-256-GCM encryption. Store, retrieve, and manage passwords with CLI commands.

3· 1.1k·11 current·11 all-time
byzuiho@zuiho-kai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node, npm), required env var (VAULT_MASTER_KEY), and bundled code all align with implementing a local Node-based password vault. Requested items are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs only to set a master key and use the CLI; the runtime code only reads the plugin config, the VAULT_MASTER_KEY env var, and a storage file under the user's home directory. There are no instructions to read unrelated files, query external endpoints, or exfiltrate data.
Install Mechanism
No install script or external downloads are declared; package has no external dependencies. The skill is instruction + bundled source only, which is the lowest install risk profile.
Credentials
Only VAULT_MASTER_KEY is required (declared in both SKILL.md and openclaw.plugin.json). No additional unrelated secrets or config paths are requested. Note: storing masterKey in a persistent config would persist a secret—SKILL.md explicitly shows this option.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent settings. It registers itself via the normal API and does not request elevated or persistent platform privileges.
Assessment
This plugin appears to implement what it claims: a local AES-256-GCM encrypted vault. Before installing, consider the following: - Keep the master key secret and do not commit it to source control; if you place it in the OpenClaw config file that config will contain a persistent secret. - The vault stores encrypted data at ~/.vault/passwords.json by default—set strict file permissions (chmod 600) and add the directory to .gitignore. - Backup your master key; losing it will make stored passwords unrecoverable. - The code runs locally and contains no network calls, but only install if you trust the plugin source (verify the GitHub repo and author). For high-value secrets, prefer a well-audited password manager or cryptographic audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97da11fwdhmq8vfrx47cbhs5n818462

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm
EnvVAULT_MASTER_KEY

Comments