← Back to Skills Marketplace
Mema Vault
by
azzar budiyanto
· GitHub ↗
· v1.1.9
715
Downloads
0
Stars
1
Active Installs
11
Versions
Install in OpenClaw
/install mema-vault
Description
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys,...
README (SKILL.md)
Mema Vault
Prerequisites
- Master Key: Must be set as an environment variable
MEMA_VAULT_MASTER_KEY. - Dependencies: Requires
cryptographyPython package.
Core Workflows
1. Store a Secret
Encrypt and save a new credential.
- Usage:
python3 $WORKSPACE/skills/mema-vault/scripts/vault.py set \x3Cservice> \x3Cuser> \x3Cpassword> [--meta "info"]
2. Retrieve a Secret
Fetch a credential. By default, the password is masked in output.
- Usage:
python3 $WORKSPACE/skills/mema-vault/scripts/vault.py get \x3Cservice> - Show Raw: Use
--showflag only when required for secure injection.
3. List Credentials
- Usage:
python3 $WORKSPACE/skills/mema-vault/scripts/vault.py list
Security Standards
- Encryption: AES-256 CBC via PBKDF2HMAC (480,000 iterations).
- Masking: Secrets are masked in standard logs/output unless explicitly requested.
- Isolation: The Master Key should never be stored in plaintext on disk.
Usage Guidance
This skill appears to be what it claims: a local, master-key protected vault. Before installing, do the following: 1) Validate the Master Key is injected securely (prefer process-scoped secrets or an agent-managed secret store rather than a long-lived system-wide env var). 2) Review and accept that the vault stores an encrypted SQLite DB and salt at data/ in the workspace — protect those files and backups. 3) Be careful with the `--show` flag (it prints raw secrets to console). 4) Note the SKILL.md/ security-policy wording about "AES-256-CBC" is misleading; if you require a specific cryptographic guarantee, review the cryptography usage and parameters yourself. 5) Confirm you are comfortable installing the `cryptography` PyPI package in the agent runtime environment.
Capability Analysis
Type: OpenClaw Skill
Name: mema-vault
Version: 1.1.9
The Mema Vault skill is a well-implemented local credential manager. It uses strong cryptographic practices (AES-256, PBKDF2HMAC with 480,000 iterations, random salt) and stores data securely within its workspace. It requires a master key from environment variables, employs parameterized SQLite queries to prevent SQL injection in `scripts/vault.py`, and masks sensitive output by default. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md. The dependencies and installation steps are legitimate for its stated purpose.
Capability Assessment
Purpose & Capability
The skill is a local vault and only requests a single environment variable (MEMA_VAULT_MASTER_KEY), which aligns with the stated purpose. Minor inconsistency: documentation claims "AES-256-CBC (via Python `cryptography` Fernet)", but Fernet's specification and common implementations do not match a plain "AES-256-CBC" claim — this is a wording/accuracy issue in the README, not evidence of hidden functionality.
Instruction Scope
SKILL.md instructs the agent to run the included CLI script and to install the `cryptography` package. Runtime behavior in the script is limited to reading MEMA_VAULT_MASTER_KEY, creating/reading data/salt.bin and data/vault.db in the workspace, and printing masked output by default. The only potentially surprising behaviors are (1) the `get` command uses a SQL LIKE (%...%) query (could return partial matches), (2) the --show flag prints raw secrets to console when used, and (3) audit information is written to console rather than a structured log — all of which are documented or obvious in the script.
Install Mechanism
No global install spec was recorded in the registry manifest, but SKILL.md includes metadata to run `pip install cryptography`. Installing from PyPI is a standard, low-to-moderate risk action. There are no downloads from arbitrary URLs or archive extraction steps.
Credentials
Only MEMA_VAULT_MASTER_KEY is required, which is appropriate for a local vault. The script does not request unrelated credentials or external service keys.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does persist an encrypted SQLite DB and a salt file under data/ in the workspace; users should be aware these files remain on disk and protect workspace storage and backups accordingly.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mema-vault - After installation, invoke the skill by name or use
/mema-vault - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.9
SECURITY: Removed local database from package and added gitignore. Only source and documentation are included.
v1.1.8
Ensured scripts inclusion by using .py extension. Manifest verified.
v1.1.7
Final manifest fix: confirmed inclusion of extensionless 'scripts/vault' via absolute path publishing.
v1.1.6
Ensured scripts/vault.py is in the manifest by renaming and using absolute publishing path.
v1.1.5
Ensured scripts/vault.py inclusion by adding file extension and using isolated build.
v1.1.4
CRITICAL: Final fix for manifest inclusion by ensuring clean WORKDIR and explicit path publishing.
v1.1.3
CRITICAL: Ensured inclusion of scripts/vault by using a clean build directory and verifying the package manifest.
v1.1.2
Fixed manifest and permission issues by isolating the build environment. Verified scripts/vault inclusion.
v1.1.1
Synchronized security-policy with actual code: removed legacy Redis/GCM references and confirmed local SQLite storage. Package now fully consistent with implementation.
v1.1.0
Implemented actual AES-256 encryption logic, added mandatory master key env var, and fixed ClawHub metadata/install requirements.
v1.0.0
Version 1.0.0 – Initial Release
- Introduces mema-vault, a secure credential manager for Mema using AES-256 encryption.
- Supports storing, retrieving, and rotating secrets with both file and Redis backends.
- Implements strict security rules to prevent accidental exposure of sensitive data.
- Provides audit tracking of secret access and helper scripts for key rotation.
- Includes clear setup instructions and reference materials for best practices.
Metadata
Frequently Asked Questions
What is Mema Vault?
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys,... It is an AI Agent Skill for Claude Code / OpenClaw, with 715 downloads so far.
How do I install Mema Vault?
Run "/install mema-vault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mema Vault free?
Yes, Mema Vault is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mema Vault support?
Mema Vault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mema Vault?
It is built and maintained by azzar budiyanto (@1999azzar); the current version is v1.1.9.
More Skills