← 返回 Skills 市场
636
总下载
0
收藏
0
当前安装
9
版本数
在 OpenClaw 中安装
/install getlighty-clawvault
功能描述
Portable identity vault for OpenClaw. Syncs knowledge, packages, and memory across machines like iCloud — automatic, invisible, encrypted. Bring your own sto...
使用说明 (SKILL.md)
ClawVault — Portable Agent Environment
You are an OpenClaw agent with the clawvault skill installed. This skill gives you automatic, continuous sync of the user's knowledge and environment across all their machines — like iCloud for AI agents.
Architecture
ClawVault works like a combination of iCloud and Git:
- Auto-sync: file changes are detected, auto-committed, and pushed
- Versioned: every change is a commit — full history, rollback anytime
- Encrypted: Ed25519 keypair per installation — private key never leaves the machine
- Multi-provider: user picks where their vault lives
Providers
| Provider | Type | Setup |
|---|---|---|
| ClawVault Cloud | Managed (paid per MB) | One command — clawvault cloud signup |
| Google Drive | BYOS (free) | OAuth flow via clawvault provider gdrive |
| Dropbox | BYOS (free) | OAuth flow via clawvault provider dropbox |
| FTP/SFTP | BYOS (free) | Host + credentials via clawvault provider ftp |
| Git | BYOS (free) | Any git remote via clawvault provider git |
| S3 | BYOS (free) | Any S3-compatible via clawvault provider s3 |
| WebDAV | BYOS (free) | Nextcloud etc via clawvault provider webdav |
| Local | BYOS (free) | USB/NAS mount via clawvault provider local |
"BYOS" = Bring Your Own Storage. Free forever. ClawVault Cloud is the convenience option for people who don't want to manage storage.
What Syncs
ALWAYS SYNCED (shared knowledge pool):
identity/USER.md Who you are
knowledge/MEMORY.md Long-term memory
knowledge/projects/ Project context
requirements.yaml System packages
skills-manifest.yaml Installed skills list
NEVER AUTO-SYNCED (per-instance):
local/SOUL.md This agent's personality
local/IDENTITY.md This agent's identity
local/config-override Local config tweaks
OPT-IN SYNC:
openclaw config.json Gateway/model config
credentials/ Channel auth (encrypted separately)
Commands
When the user asks about vault operations, use these:
First-Time Setup
- "set up clawvault" →
clawvault.sh init— creates vault, generates Ed25519 keypair, scans packages - "use clawvault cloud" →
clawvault.sh cloud signup— creates cloud account, auto-configures provider - "use google drive for vault" →
clawvault.sh provider gdrive— OAuth flow for Google Drive - "use dropbox for vault" →
clawvault.sh provider dropbox - "use FTP for vault" →
clawvault.sh provider ftp— asks for host, port, credentials
Daily Use (mostly invisible)
- "sync status" →
clawvault.sh status— show sync state, last push/pull, provider info - "sync now" →
sync-engine.sh push— force immediate sync - "show vault history" →
sync-engine.sh log— show commit history (likegit log) - "rollback vault" →
sync-engine.sh rollback— revert to previous state - "what changed" →
sync-engine.sh diff— show pending changes
Packages
- "scan packages" →
track-packages.sh scan - "what's different from vault" →
track-packages.sh diff - "install missing packages" →
track-packages.sh install— shows commands, asks before running
Migration
- "migrate to this machine" / "pull from vault" →
migrate.sh pull— interactive restore wizard - "push my soul to vault" →
migrate.sh push-identity— explicit opt-in only
Profiles
Each machine backs up to its own named profile (default: hostname). Profiles are separate — different machines can have different knowledge, memory, and packages without interfering with each other.
- "show profile" / "what profile am I on" →
clawvault.sh profile show— displays current profile name - "list profiles" / "what profiles exist" →
clawvault.sh profile list— lists all profiles in the remote storage - "rename profile" →
clawvault.sh profile rename \x3Cnew-name>— renames this machine's profile - "restore from another machine" / "pull profile X" →
clawvault.sh profile pull \x3Cname>— restores a specific profile to this machine (overwrites local vault with that profile's data, does NOT affect the source)
Key Management
- "show my vault key" →
keypair.sh show-public— display public key (for adding to providers) - "regenerate vault key" →
keypair.sh rotate— generates new keypair, re-registers with provider
Behavior Rules
-
Auto-sync is ON by default after setup — like iCloud. The user should not have to think about syncing. Changes are pushed within 30 seconds.
-
Never sync SOUL.md or IDENTITY.md without explicit permission.
-
Always confirm before installing packages. Show the diff, let them pick.
-
Private key never leaves the machine. It's stored in
~/.clawvault/keys/with 600 permissions. The public key is registered with the vault provider. -
Conflicts: If remote has changes the user hasn't seen, show a diff and let them choose. Auto-merge for non-conflicting changes (like git).
-
Be transparent about costs. If using ClawVault Cloud, show current usage and estimated cost when asked. Never surprise the user with charges.
-
Offline-first. Everything works locally. Sync happens when connectivity is available. Queue changes and push when back online.
-
Profiles are separate by default. Each machine pushes to its own named profile (default: hostname). Profiles never merge automatically. If the user wants data from another machine, they must explicitly pull that profile with
clawvault.sh profile pull \x3Cname>.
ClawVault Cloud Pricing
When users ask about pricing:
- First 50 MB free — enough for most single-user vaults
- $0.005/MB/month after that (~$0.50/month for 100 MB extra)
- No per-instance fees — connect unlimited machines
- No bandwidth fees — sync as often as you want
- Example: typical vault is 10-30 MB → completely free
- Example: power user with 200 MB → $0.75/month
- Example: team vault with 2 GB → ~$10/month
安全使用建议
This skill is largely coherent with its stated purpose, but take these precautions before installing or running it: 1) Inspect the scripts (especially providers/* and sync-engine.sh) to confirm what paths will be read and which files will be uploaded. 2) Do not opt into syncing any 'credentials' or channel/token directories unless you understand how they are encrypted and you trust the storage endpoint. 3) If you plan to use 'ClawVault Cloud', know that the repository includes server-side code that expects DB/Stripe/S3 credentials — using the managed cloud means trusting whoever runs that service. 4) Run the tool first in a safe environment (VM/container) or with a test vault to observe behavior, and review the keypair handling (private key should remain local). 5) If you require a higher assurance level, consider self-hosting the cloud components and inspect the provider registration flows to ensure signing and registration are implemented as expected.
功能分析
Type: OpenClaw Skill
Name: getlighty-clawvault
Version: 3.0.0
The skill is classified as suspicious due to several critical vulnerabilities and risky practices. The most severe issue is a potential Remote Code Execution (RCE) vulnerability in `track-packages.sh` where `eval "$cmd"` is used to install packages. If a malicious package name were injected into the vault's `requirements.yaml` (e.g., via a compromised BYOS Git repo or cloud provider), this could lead to arbitrary command execution on the agent's machine. Additionally, several provider scripts (`providers/dropbox.sh`, `providers/gdrive.sh`, `providers/s3.sh`, `providers/webdav.sh`) use `curl https://rclone.org/install.sh | bash` for `rclone` installation, which is a significant supply chain risk. The use of `StrictHostKeyChecking=no` in `providers/ftp.sh` and `providers/git.sh` also weakens SSH security, making it susceptible to MITM attacks. While the skill's stated purpose is legitimate and it attempts to protect sensitive local files, these vulnerabilities make it highly exploitable.
能力评估
Purpose & Capability
The name/description (portable encrypted vault + optional managed cloud) matches the repository: local bash CLI, provider scripts (gdrive, dropbox, git, s3, ftp, webdav, local) and a Node.js 'ClawVault Cloud' API with billing/storage code. Including server code for an optional managed cloud is plausible (self-host or operator-run) and consistent with the advertised 'ClawVault Cloud' option.
Instruction Scope
The SKILL.md explicitly instructs the agent to run local shell scripts (clawvault.sh, sync-engine.sh, migrate.sh, track-packages.sh, keypair.sh). Those scripts read/wrote files under ~/.clawvault, import certain OpenClaw workspace files, scan installed packages, and may start an auto-sync daemon. The documented defaults exclude SOUL.md and IDENTITY.md and mark credentials as opt-in, which limits broad exfiltration; however auto-sync is ON by default after setup and the tool can read the user's OpenClaw workspace and package lists—so verify what will be synced before use and do not opt into syncing credential directories unless you trust the provider and encryption.
Install Mechanism
There is no external install spec; the skill is instruction + scripts. No remote downloads or archive extraction are invoked by a platform installer. Risk is limited to running the included shell scripts locally (they will create ~/.clawvault and may start processes), so audit scripts before running.
Credentials
The skill package itself declares no required env vars for client-side operation. The included Cloud API server code, however, expects server-side environment variables (DATABASE_URL, STRIPE_SECRET_KEY, STRIPE_PRICE_ID, optional S3 credentials, STORAGE_PATH), which is appropriate if you self-host or operate the managed service but are not required for local use. Provider setup will prompt for third-party storage credentials when you select BYOS (expected).
Persistence & Privilege
always is false. The skill writes a vault directory (~/.clawvault), generates a local Ed25519 keypair (private key stored with restrictive permissions) and can run a background sync engine/daemon. That level of persistence and local file access is expected for a syncing vault; it does not request elevated system privileges or alter other skill configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install getlighty-clawvault - 安装完成后,直接呼叫该 Skill 的名称或使用
/getlighty-clawvault触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.0
Multi-profile support: separate backups per machine, profile list/pull/rename
v2.2.0
ClawVault Cloud fully working: auto key registration, HTTP/1.1 fix
v2.1.1
Fix Linux base64 wrapping in signatures, live Cloud API
v2.1.0
ClawVault Cloud is live — zero-config cloud provider now works
v2.0.4
Fix sync stop to kill orphaned fswatch, fix git push race condition
v2.0.3
Fix git provider sync: fetch-reset-apply-push model, sync_to_openclaw on pull, Linux stat fix
v2.0.2
Fix stat permissions check on Linux
v2.0.1
Fix keypair format: OpenSSH for SSH providers, PEM derived for API signing
v2.0.0
Initial release — portable identity vault for OpenClaw
元数据
常见问题
ClawVault 是什么?
Portable identity vault for OpenClaw. Syncs knowledge, packages, and memory across machines like iCloud — automatic, invisible, encrypted. Bring your own sto... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 636 次。
如何安装 ClawVault?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install getlighty-clawvault」即可一键安装,无需额外配置。
ClawVault 是免费的吗?
是的,ClawVault 完全免费(开源免费),可自由下载、安装和使用。
ClawVault 支持哪些平台?
ClawVault 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ClawVault?
由 getlighty(@getlighty)开发并维护,当前版本 v3.0.0。
推荐 Skills