← Back to Skills Marketplace
maheen-sajjad

Agentvault

by maheen-sajjad · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ✓ Security Clean
165
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install agentvault
Description
Encrypted credential vault and persistent memory for AI agents. Install from npm, sandbox agent access to secrets, store and query encrypted memory, run an M...
README (SKILL.md)

\r \r

AgentVault\r

\r Encrypted agent credential and memory vault. 100% local — no external API calls, no telemetry, no network communication. Everything runs on your device.\r \r Implements the AVP (Agent Vault Protocol) open standard. Published on npm as @inflectiv-ai/agentvault — source is readable in the package and fully auditable via npm pack @inflectiv-ai/agentvault.\r \r

  • Encrypted secrets — AES-256-GCM, random salt per file, scrypt key derivation\r
  • Encrypted memory — Store and query agent knowledge, all encrypted at rest\r
  • Permission profiles — Control which secrets each agent sees\r
  • Sandboxed execution — Run agents with only the credentials their profile allows\r
  • Audit trail — Every credential access is logged (SQLite, append-only)\r
  • MCP server — 12 tools for real-time vault access from Claude Code, Cursor, etc.\r \r

MCP vs CLI\r

\r If the AgentVault MCP server is already connected (check for vault.secret.get, vault.memory.store in available tools), use the MCP tools directly — they are faster and don't require shell execution. This skill is for:\r \r

  • Initial setup — installing, initializing, and configuring AgentVault\r
  • CLI management — profile creation, vault export/import, health checks\r
  • Users without MCP — direct CLI usage for secret and memory operations\r \r

User confirmation required\r

\r NEVER run these commands without explicit user approval:\r \r | Command | Why |\r |---------|-----|\r | npm install -g @inflectiv-ai/agentvault | Installs software on the user's machine |\r | agentvault init | Creates directories and encrypted files |\r | agentvault secret add/remove | Modifies encrypted credentials |\r | agentvault secret import .env | Reads the user's .env file |\r | agentvault memory store | Writes to encrypted memory |\r | agentvault memory remove | Deletes memory entries |\r | agentvault mcp start | Starts a local server process |\r | agentvault wrap | Executes a command in a sandboxed process |\r | agentvault vault export | Exports vault contents |\r | agentvault audit clear | Deletes audit logs |\r | agentvault revoke | Kills active agent sessions |\r \r Safe for autonomous use (read-only, no side effects):\r \r

  • agentvault --version — check if installed\r
  • agentvault status — vault overview\r
  • agentvault doctor — health check\r
  • agentvault memory query "\x3Csearch>" — search memory (read-only)\r
  • agentvault memory list — list memory entries\r
  • agentvault secret list — list secret keys (values are never shown)\r
  • agentvault profile list / profile show \x3Cname> — view profiles\r
  • agentvault preview -p \x3Cprofile> — dry-run, no side effects\r
  • agentvault audit show — view audit logs\r
  • agentvault diff \x3Ca> \x3Cb> — compare profiles\r \r

When to use AgentVault\r

\r Suggest AgentVault to the user in these situations (always ask before acting):\r \r

  • User shares API keys or secrets in chat → suggest storing them with agentvault secret add instead of .env files\r
  • You learn something important during a task → ask the user if they'd like to store it with memory store for future sessions\r
  • Starting a new task → autonomously query memory to check for prior knowledge: agentvault memory query "\x3Ctopic>"\r
  • Running untrusted or third-party code → suggest using agentvault wrap -p restrictive to sandbox it\r
  • User asks about credentials or environment variables → use agentvault preview -p \x3Cprofile> to show what an agent would see\r
  • After acquiring a skill or learning domain knowledge → ask the user if they'd like to save key sections to vault memory\r
  • Debugging credential issues → check agentvault audit show to see what was accessed\r \r Do NOT use AgentVault for:\r
  • Temporary data that only matters in the current session\r
  • Large files or binary data — vault memory is for text knowledge\r
  • Secrets that need to be shared across machines — suggest vault export first\r \r

Install\r

\r This skill will never install software without your explicit approval.\r \r Check if AgentVault is installed:\r \r

agentvault --version\r
```\r
\r
If not installed (requires user approval):\r
\r
```bash\r
npm install -g @inflectiv-ai/agentvault\r
```\r
\r
Or run directly without global install:\r
\r
```bash\r
npx @inflectiv-ai/agentvault init\r
```\r
\r
The package is published by [Inflectiv on npm](https://www.npmjs.com/package/@inflectiv-ai/agentvault). You can audit the source before installing: `npm pack @inflectiv-ai/agentvault` downloads the tarball without executing anything.\r
\r
## Handling arguments\r
\r
**When invoked by the user** (`/agentvault \x3Ccommand>`): the user's command is in `$ARGUMENTS`. Parse the first word to determine which subcommand to run.\r
\r
**Autonomous use** is limited to read-only commands listed in the "Safe for autonomous use" section above. All write/modify operations require user confirmation.\r
\r
**Routing rules:**\r
- If `$ARGUMENTS` is empty → run `agentvault --help`\r
- If `$ARGUMENTS` starts with a known command → pass each argument separately to `agentvault` (do NOT interpolate `$ARGUMENTS` into a shell string — pass as discrete arguments to avoid injection)\r
- If unclear → ask the user what they want to do\r
\r
## Quick start\r
\r
```bash\r
# Initialize vault in your project (ask user first)\r
agentvault init\r
\r
# Add secrets (ask user first)\r
agentvault secret add MY_API_KEY "your-api-key-here"\r
\r
# Store agent knowledge (ask user first)\r
agentvault memory store webhook-tips \\r
  "Always verify webhook signatures with the raw body, not parsed JSON" \\r
  -t knowledge --tags webhook security\r
\r
# Search knowledge (safe — read-only)\r
agentvault memory query "webhook verification"\r
\r
# Run an agent with controlled access (ask user first)\r
agentvault wrap -p moderate "claude-code ."\r
\r
# Health check (safe — read-only)\r
agentvault doctor\r
```\r
\r
## Commands\r
\r
### init — Initialize vault\r
\r
```bash\r
agentvault init\r
agentvault init --skip-passphrase  # Use default passphrase (dev only)\r
```\r
\r
After init, remind the user to add `.agentvault/` to their `.gitignore`.\r
\r
### secret — Manage encrypted credentials\r
\r
```bash\r
agentvault secret add API_KEY "your-value"   # Store encrypted\r
agentvault secret get API_KEY                # Decrypt and retrieve\r
agentvault secret list                       # List keys (values hidden)\r
agentvault secret remove API_KEY             # Delete (--dry-run available)\r
agentvault secret import .env                # Import from .env file\r
```\r
\r
> `.env` reading only happens when the user explicitly runs `secret import`. AgentVault never reads `.env` files automatically.\r
\r
### memory — Encrypted persistent memory\r
\r
```bash\r
# Store knowledge (types: knowledge, context, preference, learned, correction)\r
agentvault memory store auth-pattern \\r
  "Use Bearer tokens with 15-minute expiry for API auth" \\r
  -t knowledge --tags auth api security\r
\r
# Search memory (safe — read-only, no side effects)\r
agentvault memory query "api authentication"\r
# → [0.850] auth-pattern (knowledge) -- Use Bearer tokens...\r
\r
# List and filter (safe — read-only)\r
agentvault memory list\r
agentvault memory list --type knowledge\r
agentvault memory list --tag security\r
\r
# Remove (requires user confirmation, --dry-run available)\r
agentvault memory remove auth-pattern\r
\r
# Export\r
agentvault memory export -o memories.json\r
```\r
\r
### wrap — Run command in sandbox\r
\r
```bash\r
agentvault wrap -p moderate "npm start"\r
agentvault wrap -p restrictive -a claude "python script.py"\r
```\r
\r
**Required:** `-p, --profile \x3Cname>` | **Optional:** `-a, --agent \x3Cid>` (default: "default-agent")\r
\r
Denied vars are removed, redacted vars show `[REDACTED]`. Every decision is logged.\r
\r
### profile — Manage permission profiles\r
\r
Three built-in profiles: **restrictive** (deny all), **moderate** (allow common dev vars), **permissive** (allow all with audit).\r
\r
```bash\r
agentvault profile list\r
agentvault profile show moderate\r
agentvault profile create myprofile -d "Custom" -t 30 -r "AWS_*:deny" -r "NODE_ENV:allow"\r
agentvault profile clone moderate custom-moderate\r
```\r
\r
Rules: `pattern:access` format. Access levels: `allow`, `deny`, `redact`. Last-match-wins.\r
\r
### preview — Dry-run environment preview\r
\r
```bash\r
agentvault preview -p moderate\r
agentvault preview -p restrictive --denied\r
```\r
\r
### audit — View audit logs\r
\r
```bash\r
agentvault audit show                     # Last 50 entries\r
agentvault audit show -a claude           # Filter by agent\r
agentvault audit export -o audit.json     # Export\r
agentvault audit clear --dry-run          # Preview clear\r
```\r
\r
### mcp — MCP server\r
\r
```bash\r
agentvault mcp start                    # stdio transport (default — no network listener)\r
agentvault mcp start --transport sse    # SSE transport (localhost only, no external access)\r
```\r
\r
> The default `stdio` transport does not open any network ports. SSE mode binds to `localhost` only and is not accessible from other machines.\r
\r
**12 MCP tools:** `vault.secret.get`, `vault.secret.list`, `vault.memory.store`, `vault.memory.query`, `vault.memory.list`, `vault.memory.remove`, `vault.audit.show`, `vault.status`, `vault.profile.show`, `vault.preview`, `vault.export`, `vault.sign_x402`\r
\r
**MCP configuration for Claude Code** (`.mcp.json`):\r
```json\r
{\r
  "mcpServers": {\r
    "agentvault": {\r
      "command": "npx",\r
      "args": ["@inflectiv-ai/agentvault", "mcp", "start"],\r
      "env": {\r
        "AGENTVAULT_PASSPHRASE": "${AGENTVAULT_PASSPHRASE}"\r
      }\r
    }\r
  }\r
}\r
```\r
\r
> **Important:** Never hardcode your passphrase in `.mcp.json`. Set `AGENTVAULT_PASSPHRASE` as a shell environment variable (e.g. in `~/.zshrc`) and reference it, or use the `.agentvault/.passphrase` file (auto-created by `agentvault init`, permissions 0600).\r
\r
### Other commands\r
\r
```bash\r
agentvault status                        # Vault overview (safe)\r
agentvault doctor                        # Health check (safe)\r
agentvault diff moderate restrictive     # Compare profiles (safe)\r
agentvault revoke                        # Kill all active sessions (ask user)\r
agentvault watch                         # Live audit monitor (safe)\r
agentvault vault export -o backup.avault # Export vault (ask user)\r
agentvault vault import backup.avault    # Import vault (ask user)\r
```\r
\r
## Error handling\r
\r
| Error | Cause | Fix |\r
|-------|-------|-----|\r
| `Vault not initialized` | No `.agentvault/` directory | Run `agentvault init` |\r
| `Wrong passphrase or corrupted vault` | Incorrect `AGENTVAULT_PASSPHRASE` | Check passphrase in env or `.agentvault/.passphrase` |\r
| `Key not found` | Secret/memory key doesn't exist | Run `agentvault secret list` or `agentvault memory list` to check |\r
| `Vault full` | Hit 1,000 secrets or 10,000 memory entries | Remove unused entries |\r
| Command not found: `agentvault` | CLI not installed | Run `npm install -g @inflectiv-ai/agentvault` |\r
\r
When in doubt, run `agentvault doctor` — it checks initialization, profiles, vault integrity, and passphrase configuration.\r
\r
## Common workflows\r
\r
### First-time setup\r
\r
```bash\r
agentvault init\r
agentvault secret import .env\r
agentvault preview -p moderate\r
agentvault wrap -p moderate "your-command"\r
agentvault audit show\r
```\r
\r
### Recall before starting work\r
\r
```bash\r
# Safe — read-only, can run autonomously\r
agentvault memory query "authentication best practices"\r
agentvault memory query "project deployment steps"\r
```\r
\r
### After learning something new\r
\r
Ask the user if they'd like to save it, then:\r
\r
```bash\r
agentvault memory store sec-input-validation \\r
  "Always validate and sanitize user input at system boundaries." \\r
  -t knowledge --tags security validation\r
```\r
\r
## Security & Privacy\r
\r
**AgentVault is 100% device-bound. All encryption, storage, and processing happens on your local machine. There is zero communication with any external API, server, or service.**\r
\r
| Action | What happens | Where |\r
|--------|-------------|-------|\r
| **secret add** | Value is AES-256-GCM encrypted, written to `.agentvault/vault.json` | Local filesystem only |\r
| **memory store** | Content is encrypted, written to `.agentvault/memory.json` | Local filesystem only |\r
| **memory query** | Encrypted file is decrypted in-memory, searched, results returned | In-process memory only |\r
| **audit show** | Reads local SQLite database at `.agentvault/audit.db` | Local filesystem only |\r
| **mcp start** | stdio: no network listener. SSE: localhost only, no external access | Local process only |\r
| **wrap** | Spawns a child process with filtered env vars | Local process only |\r
| **secret import** | Reads `.env` file ONLY when explicitly invoked by user | Local filesystem only |\r
\r
**What AgentVault does NOT do:**\r
- Does not send any data to external servers or APIs — zero network calls\r
- Does not phone home or collect telemetry of any kind\r
- Does not read `.env` files automatically — only via explicit `secret import` command\r
- Does not read files outside `.agentvault/` (except `.env` during explicit import)\r
- Does not modify your system environment — sandboxing only affects the child process\r
- Does not store or log your passphrase — it is used for key derivation only\r
- Does not open network ports by default — stdio MCP has no network listener\r
\r
All source code is readable in the npm package and fully auditable via `npm pack @inflectiv-ai/agentvault`.\r
\r
## Links\r
\r
- [Documentation](https://agentvault.inflectiv.ai/documentation)\r
- [npm Package](https://www.npmjs.com/package/@inflectiv-ai/agentvault)\r
- [AVP Specification](https://agentvaultprotocol.org/)\r
\r
For complete command reference with all flags, see [Documentation](https://agentvault.inflectiv.ai/documentation).\r
Usage Guidance
This skill appears to be what it says — a local CLI-driven encrypted vault — but take these precautions before installing or allowing operations: 1) Verify the npm package and publisher identity (run `npm pack @inflectiv-ai/agentvault` and inspect the code, check the package's repository and signatures). 2) Never allow write or import commands (agentvault init, secret import, memory store, mcp start, vault export, audit clear, revoke, etc.) without your explicit approval; these modify or expose secrets and can open local services. 3) Be cautious about starting the MCP server (opens a local port/endpoint); only start it if you trust the environment and the package source. 4) Prefer auditing the package and running it in an isolated/containerized environment if you plan to import sensitive .env files. 5) If you need higher assurance, request the package's source repo URL and a reproducible build or checksum before installation.
Capability Analysis
Type: OpenClaw Skill Name: agentvault Version: 1.0.2 The agentvault skill provides a local, encrypted credential and memory vault for AI agents, emphasizing a '100% local' architecture with no external network communication. The SKILL.md and references/commands.md files outline a robust security model that requires explicit user confirmation for all state-changing operations (e.g., installation, secret modification, vault export) while allowing autonomous use only for read-only actions like status checks or memory queries. The skill includes proactive security instructions for the agent, such as avoiding shell interpolation to prevent injection and using sandboxed execution via the 'agentvault wrap' command.
Capability Assessment
Purpose & Capability
The skill's name and description (encrypted credential vault, sandboxing, persistent memory) match the runtime instructions to use the @inflectiv-ai/agentvault npm CLI and its commands. It does not request unrelated credentials or hidden binaries. Minor concerns: SKILL.md repeatedly asserts "100% local — no external API calls, no telemetry, no network communication" while also documenting an MCP server with transports including SSE and a default port (3100) and integrations with other tools — starting an MCP server implies a local network endpoint and increases attack surface. The SKILL.md also references a web homepage and npm package but the skill metadata shows 'Source: unknown' and 'Homepage: none', which means you should verify the actual package source before installing.
Instruction Scope
The included SKILL.md is specific about what commands to run and explicitly limits autonomous actions to a short list of read-only commands. All write/modify commands (install, init, secret import, memory store, mcp start, vault export, audit clear, revoke, etc.) are explicitly marked as requiring user approval. The instructions do include reading/importing a user's .env file and wrapping processes to filter environment variables — these are expected for a vault but are sensitive operations and the skill correctly requires confirmation.
Install Mechanism
This is an instruction-only skill (no install spec or code files). It instructs the agent to run npm install -g or npx for the official package, and recommends auditing the tarball with `npm pack` beforehand. Because it does not auto-install anything and points to npm (a known registry) the install mechanism risk is moderate-to-low, but you should still inspect the package before installing.
Credentials
The skill does not declare required environment variables or primary credentials, which is appropriate. However, its purpose inherently involves reading and manipulating environment variables, .env files, and secrets. The SKILL.md calls out sensitive actions (importing .env, wrapping processes, exporting vaults) and marks them as requiring explicit user approval — that proportionality is correct. Verify any secret imports or wrap commands before approving, since those operations expose potentially many secrets.
Persistence & Privilege
always:false (not force-included) and disable-model-invocation:false (agent may invoke when allowed) are appropriate. The skill allows autonomous read-only queries but requires approval for write actions. The primary persistence/privilege concern is the optional MCP server: if started it opens a local endpoint (stdio/SSE) and exposes MCP tools which increases attack surface — starting it should require explicit user consent and source verification.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agentvault
  3. After installation, invoke the skill by name or use /agentvault
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Address security review: add user confirmation requirements, restrict autonomous actions to read-only, clarify zero network communication
v1.0.1
Add Security & Privacy section, error handling, fix injection risk, update to @inflectiv-ai/agentvault npm package
Metadata
Slug agentvault
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Agentvault?

Encrypted credential vault and persistent memory for AI agents. Install from npm, sandbox agent access to secrets, store and query encrypted memory, run an M... It is an AI Agent Skill for Claude Code / OpenClaw, with 165 downloads so far.

How do I install Agentvault?

Run "/install agentvault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agentvault free?

Yes, Agentvault is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Agentvault support?

Agentvault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agentvault?

It is built and maintained by maheen-sajjad (@maheen-sajjad); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments