← Back to Skills Marketplace
89
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install nex-vault
Description
Secure local contract and document vault for managing all business agreements and important documents with automatic expiration tracking and compliance alert...
Usage Guidance
This package appears to implement the advertised local document vault, but there are a few mismatches and things to check before installing:
- Env var name mismatch: the registry requests VAULT_TELEGRAM_TOKEN and VAULT_TELEGRAM_CHAT_ID, but the code checks NEX_VAULT_TELEGRAM_BOT_TOKEN and NEX_VAULT_TELEGRAM_CHAT_ID. Confirm which names to set (or prefer using the CLI 'config set-telegram-*' commands) so your Telegram alerts actually work and you don't accidentally put secrets in the wrong variable.
- Telegram privacy: alerts are sent to the configured Telegram chat via api.telegram.org and will contain document names and messages. Ensure you use a trusted chat (e.g., a private admin chat) and be comfortable with those notifications containing potentially sensitive document metadata.
- File handling: when you 'add' a document the tool reads the path you supply and stores that path in the DB rather than necessarily copying the file into ~/.nex-vault. If you want an isolated copy inside the vault, verify whether the tool copies files (review full source) or keep your documents in a controlled directory.
- Optional binaries: pdftotext and tesseract are used for extraction but are optional; the registry only declares python3. If you need full parsing, install poppler-utils/pdftotext and tesseract as documented.
- Code review: while no network endpoints other than Telegram are present in the reviewed files, if you are concerned about sensitive data you should inspect the rest of the code (some files were truncated in the listing) before trusting it with real contracts. Running setup.sh will create a venv and a CLI in your user home — considered low-risk but run it in an account you control and optionally in a disposable environment first.
If these points are acceptable and you verify which env var names the installed CLI expects, the package appears usable for local contract tracking. If you are unsure, ask the publisher for clarification about the env var names and whether the tool copies files into the vault data directory.
Capability Analysis
Type: OpenClaw Skill
Name: nex-vault
Version: 1.0.0
The nex-vault skill bundle provides a local document management system with OCR and Telegram notifications, but it contains a critical shell injection vulnerability in `nex-vault.py`. The `cmd_config` function uses `subprocess.run` with `bash -c` to append unsanitized user input (Telegram tokens and chat IDs) directly to the `~/.bashrc` file, which could allow arbitrary command execution if the input is manipulated. While the core logic in `lib/doc_parser.py` and `lib/alerter.py` (which communicates with `api.telegram.org`) aligns with the stated purpose of tracking contracts, the lack of input sanitization in configuration commands poses a significant security risk.
Capability Tags
Capability Assessment
Purpose & Capability
The code and CLI behavior match the described purpose (local document vault, date extraction, alerts, optional Telegram notifications). Required binary python3 is appropriate, and optional use of pdftotext/tesseract for parsing is consistent with the feature set. However, the registry/manifest lists environment variables VAULT_TELEGRAM_TOKEN and VAULT_TELEGRAM_CHAT_ID while the code reads NEX_VAULT_TELEGRAM_BOT_TOKEN and NEX_VAULT_TELEGRAM_CHAT_ID (different names). The skill also includes code files and a setup.sh installer despite being described as instruction-only in the registry metadata, which is inconsistent but not necessarily malicious.
Instruction Scope
Runtime instructions and the CLI operate on user-supplied file paths and local SQLite storage (expected). The setup script creates a venv, initializes a DB, and installs a CLI wrapper in ~/.local/bin. One behavioral detail to verify: when adding a document the tool records the original file path (it appears not to copy files into the vault directory), so the tool will read files wherever the provided path points — this is expected for a local vault but has privacy implications if you supply paths to unrelated files.
Install Mechanism
Installation is done via bundled setup.sh which creates a local virtualenv, installs python-docx and Pillow via pip, initializes the DB, and writes a wrapper in ~/.local/bin. There are no remote downloads or untrusted URLs in the install script. The installer modifies only user-home locations (~/ .nex-vault and ~/.local/bin).
Credentials
The only external credentials the tool uses are Telegram bot token and chat id, which is proportionate for sending alerts. However, the declared required env vars in the registry (VAULT_TELEGRAM_TOKEN, VAULT_TELEGRAM_CHAT_ID) do NOT match the environment variable names the code actually reads (NEX_VAULT_TELEGRAM_BOT_TOKEN, NEX_VAULT_TELEGRAM_CHAT_ID). This mismatch can cause misconfiguration (you may set tokens the tool never reads) or confusion about where secrets are stored. Also the README and CLI mention commands to set Telegram tokens via 'nex-vault config', so requiring env vars at publish-time may be unnecessary or inconsistent.
Persistence & Privilege
The skill does not request always:true and will not be force-included. Its installer writes into the user's home directory (creates ~/.nex-vault and a venv, and installs a CLI shim in ~/.local/bin) which is expected for a local CLI tool. The installer suggests adding a cron entry but does not create system-wide services or modify other skills/configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nex-vault - After installation, invoke the skill by name or use
/nex-vault - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Nex Vault?
Secure local contract and document vault for managing all business agreements and important documents with automatic expiration tracking and compliance alert... It is an AI Agent Skill for Claude Code / OpenClaw, with 89 downloads so far.
How do I install Nex Vault?
Run "/install nex-vault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nex Vault free?
Yes, Nex Vault is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nex Vault support?
Nex Vault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nex Vault?
It is built and maintained by Nex AI (@nexaiguy); the current version is v1.0.0.
More Skills