X1 Vault Memory

Name: X1 Vault Memory
Author: lokoweb3

Description

Backup and restore OpenClaw agent memory to IPFS with AES-256-GCM encryption and X1 blockchain CID anchoring

Usage Guidance

This skill appears to implement the advertised backup/restore pipeline, but review these points before installing: - Metadata mismatch: the registry summary said no required envs/configs, but SKILL.md and package.json do require PINATA_JWT and x1_vault_cli/wallet.json. Verify the package metadata and that you provide only intended secrets. - Sensitive secrets: the skill needs a wallet.json (private key) and a Pinata JWT. Use a dedicated, low-value wallet and create a Pinata JWT scoped to pinFileToIPFS only; keep both off version control and rotate/revoke tokens if compromised. - X1 anchoring: the anchoring code reuses @solana/web3.js and Solana memo program IDs; confirm that the X1 RPC and on-chain memo behavior are compatible in your environment (test on a testnet or a disposable wallet first). If anchoring fails, the backup still stays on IPFS but won't be recorded on-chain. - Cron/heartbeat: the heartbeat auto-restore is opt-in. Do not enable cron/auto-restore unless you trust the code and want automatic restores that execute local commands. - Dependency risk: npm install pulls many packages. If you require higher assurance, audit dependencies or run in an isolated container/VM. If you trust the author and the code after these checks, the skill is coherent with its stated purpose. If anything feels off (unknown source, unexpected metadata), test in an isolated environment or refrain from installing.

Capability Analysis

Type: OpenClaw Skill Name: x1-vault-memory Version: 0.1.10 This skill is designed for encrypted, decentralized backup and restore of OpenClaw agent memory. It uses strong cryptographic practices (AES-256-GCM, PBKDF2) and includes critical security mitigations such as `validateCID` for all Content Identifiers (CIDs) before network requests (SSRF prevention) and before executing child processes (`execFileSync` in `heartbeat.js`, preventing shell injection). It also implements SHA-256 checksum verification for data integrity during restore. All external communications (Pinata, X1 RPC) and local file system access are aligned with the stated purpose. Persistence mechanisms (cron jobs) are opt-in and clearly documented. There is no evidence of intentional malicious behavior like unauthorized data exfiltration, backdoors, or stealthy operations. The skill explicitly warns users about handling sensitive `wallet.json` and `PINATA_JWT` credentials securely.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description (IPFS + AES-256-GCM + X1 anchoring) aligns with the code: archive workspace files, encrypt with AES-256-GCM (key derived from local wallet.json secretKey), upload to Pinata, and submit a signed transaction to an X1 RPC. However the registry summary at the top of the package info (which lists no required env vars or config paths) contradicts SKILL.md and package.json which explicitly require PINATA_JWT and x1_vault_cli/wallet.json. That metadata mismatch is likely a packaging/registration oversight but should be corrected/verified.

✓ Instruction Scope

Runtime instructions and code act on agent workspace files (IDENTITY.md, SOUL.md, USER.md, TOOLS.md, memory/) and use Pinata and an X1 RPC. Heartbeat auto-restore is opt-in (cron example provided) and the code validates CIDs and checksums. Heartbeat invokes restore via execFileSync('node', ...), which is expected for this tool but means the skill will run local commands if you schedule it—confirm you only enable cron if you trust the code.

✓ Install Mechanism

No remote 'curl|sh' or arbitrary URL downloads; dependencies are normal npm packages declared in package.json and lockfile. The install is npm install (node modules from public registries). That is standard but remember npm packages have their own supply-chain risk—review dependencies if you require high assurance.

ℹ Credentials

The only required secret is PINATA_JWT (Pinata pinFileToIPFS) and a local wallet keypair file (x1_vault_cli/wallet.json). Both are sensitive but justified by the functionality: Pinata auth for uploads and the private key for encryption/signing. Ensure the Pinata key is scoped/minimal and the wallet is a dedicated wallet (the project advises this).

✓ Persistence & Privilege

Skill does not request always:true and does not modify other skills or system-wide settings. It requires a local wallet file and environment variable but does not attempt to persist itself beyond normal files in the workspace.

Version History

v0.1.10

**Security-focused update with documentation changes for safer usage and improved clarity:** - Raised prominent SECURITY WARNING: do not use a primary wallet—always use a dedicated wallet with minimal XNT for backups. - Replaced scattered requirements sections with a clearly labeled "Required Configuration" table. - Added repeated security warnings at key sections (setup, requirements). - No code changes included; updates are documentation and metadata. - Package version increased from 0.1.10 to 0.2.0.

v0.1.9

x1-vault-memory v1.1.2 - Security: Removed "curl | sh" Solana CLI installer suggestion; now recommends wallet creation via Node.js (`@solana/web3.js`) - Environment variable requirements clarified in both SKILL.md and package.json; `PINATA_JWT` is now mandatory, `X1_RPC_URL` optional with a default - Documentation improvements: Clear setup steps, no Solana CLI dependency, and opt-in note for heartbeat auto-restore via cron - Minor corrections to requirements and file structure in metadata

v0.1.8

x1-vault-memory v0.1.8 - Documentation updates: README.md, SKILL.md, and other docs clarified and revised. - Internal code improvements in src/anchor.js, src/backup.js, and src/restore.js (details not specified). - No changes to skill requirements, configuration, or usage flow. - Version number remains 1.1.1 in documentation; code version is 0.1.8.

v0.1.7

- Version bump from 1.1.0 to 1.1.1. - Documentation update: added a prominent security note advising users to verify the Solana CLI installer URL for enhanced safety. - No functional changes to the skill's code or features.

v0.1.6

- Internal changes in src/backup.js with no visible impact on documentation or user-facing features. - No public-facing changes; usage and setup remain the same.

v0.1.5

x1-vault-memory v0.1.5 - Updated the SKILL.md documentation to include a structured requirements table and configuration details. - Specified x1_vault_cli/wallet.json as a required config file in metadata and requirements. - No changes to functionality or source code; this update is documentation-only.

v0.1.4

x1-vault-memory v0.1.4 - Updated documentation in README.md (no feature or usage changes). - No user-facing functional changes; core functionality and API remain the same.

v0.1.3

x1-vault-memory 0.1.3 Changelog - Documentation updates in SKILL.md and README.md. - Clarified required Pinata API token permissions (now recommends pinFileToIPFS only, not Admin). - Updated wallet keypair creation instructions to new path ("x1_vault_cli/wallet.json"). - Added installation note/link for the official Solana CLI. - Improved wording and formatting for setup instructions.

v0.1.2

- Switched encryption from NaCl to AES-256-GCM for backups. - Now explicitly requires X1_RPC_URL as an environment variable. - Documentation updated to reflect new encryption method and required environment variables.

v0.1.1

Initial release. - Provides backup and restore for OpenClaw agent memory with NaCl encryption and X1 blockchain anchoring - Encrypts agent data, uploads to IPFS via Pinata, and anchors CIDs on X1 blockchain - Includes scripts for backup, restore, and backup listing - Features automated heartbeat/restoration and selective restore by file/directory - Supports checksum verification for data integrity and local logging of all backup events

v0.1.0

x1-vault-memory v1.1.0 introduces major enhancements for secure, decentralized agent memory backup: - Added SHA-256 integrity verification for both backup and restore processes. - New selective restore feature via --only flag to recover specific files or directories. - Introduced list command to view all backups with versioned rollback support. - Added heartbeat self-healing hook for automated restore if failure detected.

Metadata

Slug x1-vault-memory

Version 0.1.10

License —

All-time Installs 0

Active Installs 0

Total Versions 11

Frequently Asked Questions

What is X1 Vault Memory?

Backup and restore OpenClaw agent memory to IPFS with AES-256-GCM encryption and X1 blockchain CID anchoring. It is an AI Agent Skill for Claude Code / OpenClaw, with 640 downloads so far.

How do I install X1 Vault Memory?

Run "/install x1-vault-memory" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is X1 Vault Memory free?

Yes, X1 Vault Memory is completely free (open-source). You can download, install and use it at no cost.

Which platforms does X1 Vault Memory support?

X1 Vault Memory is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created X1 Vault Memory?

It is built and maintained by Lokoweb3 (@lokoweb3); the current version is v0.1.10.

More Skills

What is X1 Vault Memory?

How do I install X1 Vault Memory?

Is X1 Vault Memory free?

Which platforms does X1 Vault Memory support?

Who created X1 Vault Memory?

💬 Comments