← Back to Skills Marketplace
96
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install secure-storage
Description
AES 加密存储,用于安全保存 API 密钥等敏感信息
Usage Guidance
This skill implements local encrypted storage but is misleading and not safe for high-value secrets as-is. Key issues to consider before installing or using: 1) SKILL.md claims the encryption key comes from an environment variable, but the script ignores env vars and uses a hardcoded SIMPLE_KEY ('openclaw-secure-storage-v1') with a static salt — an attacker who obtains the repo can decrypt stored values. 2) The code uses a simple AES-256-CBC scheme with a static salt and no authentication (no AES-GCM or HMAC), which is not production-grade. 3) The documented filename ('.secure-storage.json') differs from the actual path the script writes to ('$HOME/.openclaw/workspace/memory/secure-storage.json'), which could cause surprise or data scattering. 4) Although the file is written with 0600, anyone with filesystem access to your HOME can read it; do not store high-value secrets (root-level AWS keys, production tokens) without stronger protections. Recommended actions: do not rely on this for critical secrets; ask the author to (a) actually read the encryption key from a required env var and declare it in metadata, (b) use a well-reviewed authenticated encryption scheme (e.g., AES-GCM or use OS keychain/KMS), (c) use a proper per-secret salt/IV/key derivation and not a hardcoded salt or key, (d) fix documentation to match actual storage path, and (e) consider storing secrets in the OS keyring or cloud KMS instead. If you still want to use it for low-value items, review and run the script in an isolated environment and consider modifying it to accept and require a real secret (from env) and to use authenticated encryption.
Capability Analysis
Type: OpenClaw Skill
Name: secure-storage
Version: 1.0.1
The skill provides a local key-value store claiming to be 'secure,' but it contains a critical vulnerability: the encryption key and salt are hardcoded in `scripts/secure-storage.js` (`SIMPLE_KEY` and 'salt'), making the encryption trivial to bypass. Furthermore, there is a discrepancy between the code and `SKILL.md`, which falsely claims the encryption key is read from environment variables. While no evidence of intentional data exfiltration or malicious execution was found, the weak cryptographic implementation poses a significant risk for storing sensitive information.
Capability Tags
Capability Assessment
Purpose & Capability
Name, description, and features (set/get/list/delete) match the included script's functionality. However the SKILL.md says the encryption key is read from an environment variable and the storage filename is '.secure-storage.json', whereas the script hardcodes the encryption key and writes to '$HOME/.openclaw/workspace/memory/secure-storage.json' — these mismatches are unexpected and unexplained.
Instruction Scope
SKILL.md instructs running the provided node script and warns the encryption key is from an env var; the actual script does not read any env var for the key and uses a hardcoded SIMPLE_KEY. The SKILL.md/README also references a different storage filename than the script uses. The script performs only local file I/O and no networking, but the documentation gives a false impression about how the key is provided.
Install Mechanism
No install spec (instruction-only with one script). This has low install risk: nothing is downloaded or executed implicitly during install.
Credentials
SKILL.md claims the encryption key comes from an environment variable, but the skill.json declares no required env vars and the script ignores environment variables for the key. Instead the code uses a hardcoded SIMPLE_KEY and a static salt ('salt') when deriving an AES key — this is disproportionate to the claimed secure behavior and weakens confidentiality.
Persistence & Privilege
Skill does not request 'always: true' and is user-invocable only. It writes a storage file under the user's HOME path (creates ~/.openclaw/workspace/memory/secure-storage.json) with file mode 0600, which is reasonable for a local CLI tool. It does not modify other skills or system-wide configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install secure-storage - After installation, invoke the skill by name or use
/secure-storage - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
AES加密存储,作者改为c32
v1.0.0
AES 加密存储敏感信息
Metadata
Frequently Asked Questions
What is Secure Storage?
AES 加密存储,用于安全保存 API 密钥等敏感信息. It is an AI Agent Skill for Claude Code / OpenClaw, with 96 downloads so far.
How do I install Secure Storage?
Run "/install secure-storage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Secure Storage free?
Yes, Secure Storage is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Secure Storage support?
Secure Storage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Secure Storage?
It is built and maintained by c32 (@amd5); the current version is v1.0.1.
More Skills