SwarmVault
v0.2.1Use SwarmVault when the user needs a local-first knowledge vault that writes durable markdown, graph, search, review, and MCP artifacts to disk from files, U...
⭐ 1· 199·0 current·0 all-time
byWayde@waydelyle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the declared needs: the skill expects a 'swarmvault'/'vault' CLI and documents commands that read/write local vault files and expose graph/search—all coherent with a local knowledge-vault tool.
Instruction Scope
SKILL.md instructs the agent to run many CLI commands that ingest URLs, add repositories, compile, save durable artifacts to wiki/ and state/, install agent-specific hooks, and run 'swarmvault mcp' to expose the vault. These behaviors are expected for the vault but do grant the CLI the ability to fetch remote content and to expose local data externally via MCP or agent hooks; treat those features as privacy/network-surface decisions rather than unexpected scope creep.
Install Mechanism
Install uses a public npm package (@swarmvaultai/cli) that provides the documented binaries. npm global installation is the expected delivery mechanism. This is a moderate-risk install vector (third-party package execution) but proportional and standard for a CLI.
Credentials
The skill declares no environment variables or credentials; it only depends on having the CLI binary available. The absence of unrelated secrets or config requirements matches the stated local-first purpose.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does include guidance to install agent-specific hooks and to run 'mcp', which can create local project hooks or serve data—reasonable for a vault but increases blast radius if the user exposes sensitive data. The skill does not attempt to modify other skills or system-wide agent settings beyond installing project-local hooks.
Assessment
This package appears to be what it claims: a CLI-driven, local-first vault. Before installing: (1) verify the npm package and its GitHub repo (review recent releases and the package code) to ensure it matches expectations; (2) install and run it in a non-sensitive test workspace first — ingestion and compile write durable files under raw/, wiki/, and state/; (3) be cautious with commands that ingest remote URLs or run 'swarmvault mcp' or 'install --agent --hook' since those expose data or add integrations — do not enable MCP/external hooks on a vault containing sensitive material; (4) note that npm -g modifies your system PATH and requires Node >=24; (5) if you want ephemeral checks, prefer '--no-save' where supported. If you need a deeper risk assessment, provide the npm package source (or the installed package contents) so its runtime behavior and any network endpoints can be inspected.Like a lobster shell, security has layers — review code before you run it.
graphvk9775bs63knvp7s269bbazvs6d84ecazknowledgevk977wjyfaxzg7m5psrj6r0fpe184aed5knowledge-basevk9775bs63knvp7s269bbazvs6d84ecazlatestvk9775bs63knvp7s269bbazvs6d84ecazlocal-firstvk9775bs63knvp7s269bbazvs6d84ecazmarkdownvk9775bs63knvp7s269bbazvs6d84ecazmcpvk9775bs63knvp7s269bbazvs6d84ecazswarmvaultvk9775bs63knvp7s269bbazvs6d84ecaz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗃️ Clawdis
Any binswarmvault, vault
Install
Install SwarmVault CLI (npm)
Bins: swarmvault, vault
npm i -g @swarmvaultai/cli