功能描述

Read and edit Markdown notes on your personal computer via SSH tunnel. Use when the user asks to read, create, or append to notes in their vault.

使用说明 (SKILL.md)

Headless Vault CLI

Name: Headless Vault CLI
Author: logancyang

Access Markdown notes on your personal computer from this VPS-hosted bot via SSH tunnel.

Terminology: "Local machine" = your personal computer (macOS or Linux) where your notes live. This skill runs on the VPS and connects to your machine via a reverse SSH tunnel.

Prerequisites

This is an instruction-only skill. Before using it, the user must complete a one-time setup on their local machine:

Install vaultctl on the local machine (see setup instructions)
Configure SSH forced-command on the local machine's ~/.ssh/authorized_keys to restrict the VPS key to only run vaultctl (see Security Model below)
Start a reverse SSH tunnel from the local machine to the VPS, exposing localhost:2222
Set the environment variable VAULT_SSH_USER to the local machine's username

Security Model

This skill connects to the local machine over a pre-configured reverse SSH tunnel. Access is restricted by design:

Forced-command restriction: The VPS SSH key is added to the local machine's ~/.ssh/authorized_keys with a forced-command wrapper, so the VPS can ONLY execute vaultctl — no interactive shell, no arbitrary commands (rm, curl, etc.)
Vault sandboxing: vaultctl validates all file paths are inside VAULT_ROOT and rejects path traversal attempts (.., symlinks outside vault)
Non-destructive: Only create (new files) and append (existing files) are supported — no delete, rename, move, or overwrite
No credentials stored: SSH authentication uses the VPS's existing SSH keypair; no additional secrets are stored by this skill

Example authorized_keys entry on the local machine:

command="/usr/local/bin/vaultctl-wrapper",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA... vps-key

This ensures the VPS can only run vaultctl commands, even if the tunnel is compromised.

Available Commands

You have access to these commands ONLY. Do not attempt commands not listed here (no rename, delete, move, or edit commands exist).

Command	Description
`tree`	List vault directory structure
`resolve`	Find note by path or title
`info`	Get file metadata (lines, bytes, sha256, mtime)
`read`	Read note content
`create`	Create a NEW note (fails if file exists)
`append`	Append content to EXISTING note

How to Run Commands

All commands are executed via SSH:

ssh -4 -p ${VAULT_SSH_PORT:-2222} ${VAULT_SSH_USER}@${VAULT_SSH_HOST:-localhost} vaultctl \x3Ccommand> [args]

Always use -4 to force IPv4 (avoids IPv6 timeout issues).

Environment Variables

These must be set in the skill's runtime environment on the VPS:

Variable	Required	Default	Description
`VAULT_SSH_USER`	Yes	—	Local machine username for SSH tunnel
`VAULT_SSH_PORT`	No	`2222`	SSH tunnel port on localhost
`VAULT_SSH_HOST`	No	`localhost`	SSH tunnel host

Command Reference

tree - List vault structure

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree --depth 2
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree --all

Options:

--depth N - Maximum depth to traverse
--all - Include all files, not just .md

resolve - Find note by path or title

ALWAYS use --base64 for path and title arguments to prevent shell injection:

# echo -n "Projects/Plan.md" | base64 → UHJvamVjdHMvUGxhbi5tZA==
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl resolve --path UHJvamVjdHMvUGxhbi5tZA== --base64

# echo -n "Meeting Notes" | base64 → TWVldGluZyBOb3Rlcw==
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl resolve --title TWVldGluZyBOb3Rlcw== --base64

info - Get file metadata

ALWAYS use --base64 for the path argument:

# echo -n "Projects/Plan.md" | base64 → UHJvamVjdHMvUGxhbi5tZA==
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl info UHJvamVjdHMvUGxhbi5tZA== --base64

Returns JSON: {"path": "...", "lines": N, "bytes": N, "sha256": "...", "mtime": N}

read - Read note content

ALWAYS use --base64 for the path argument:

# echo -n "Projects/Plan.md" | base64 → UHJvamVjdHMvUGxhbi5tZA==
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl read UHJvamVjdHMvUGxhbi5tZA== --base64

Returns JSON: {"path": "...", "content": "..."}

create - Create a NEW note

IMPORTANT: Use --base64 flag with BOTH path AND content base64 encoded. This is required for paths/content with spaces or special characters.

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl create \x3Cbase64_path> \x3Cbase64_content> --base64

Example to create "Notes/Morning Brief.md" with content "# Hello

World":

# Encode path: echo -n "Notes/Morning Brief.md" | base64 → Tm90ZXMvTW9ybmluZyBCcmllZi5tZA==
# Encode content: echo -n "# Hello\
\
World" | base64 → IyBIZWxsbwoKV29ybGQ=
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl create Tm90ZXMvTW9ybmluZyBCcmllZi5tZA== IyBIZWxsbwoKV29ybGQ= --base64

Creates parent directories automatically
Fails if file already exists (use append to add to existing files)
File must have .md extension
NEVER duplicate the title as a heading inside the note content (e.g., for "My Note.md", don't start content with "# My Note")

append - Append to EXISTING note

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl append \x3Cbase64_path> \x3Cbase64_content> --base64

Fails if file does not exist (use create for new files)

What You CANNOT Do

These operations are NOT supported:

Rename files or folders
Delete files or folders
Move files between folders
Edit specific parts of a file (only append to end)
Create folders without a file (folders are created automatically with create)

Tips

Always run vaultctl tree first to see what notes exist
Use vaultctl resolve --title \x3Cbase64> --base64 to find a note by name
All output is JSON
The local machine must be online with tunnel running
ALWAYS use --base64 for ALL path and content arguments — this is mandatory for security, not optional

Examples

Important: Always run tree first if you're unsure what notes exist. This prevents errors from wrong paths or duplicate names.

Example 1: User asks to read a note (check first)

User: "Show me my project plan"

Step 1 - Check what exists:

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree

Output:

{"tree": [{"path": "Projects", "type": "dir"}, {"path": "Projects/Plan.md", "type": "file"}]}

Step 2 - Now read the correct path (always base64 encode):

# echo -n "Projects/Plan.md" | base64 → UHJvamVjdHMvUGxhbi5tZA==
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl read UHJvamVjdHMvUGxhbi5tZA== --base64

Output:

{"path": "Projects/Plan.md", "content": "# Project Plan\
\
## Goals\
..."}

Example 2: User asks to create a note (check first to avoid duplicates)

User: "Create a meeting notes file"

Step 1 - Check what already exists:

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree

Output:

{"tree": [{"path": "Projects", "type": "dir"}, {"path": "Projects/Plan.md", "type": "file"}]}

Step 2 - No "Meeting Notes" exists, safe to create (do NOT duplicate title as heading):

# echo -n "Meeting Notes.md" | base64 → TWVldGluZyBOb3Rlcy5tZA==
# echo -n "## Agenda\
\
- Item 1\
- Item 2\
" | base64 → IyMgQWdlbmRhCgotIEl0ZW0gMQotIEl0ZW0gMgo=
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl create TWVldGluZyBOb3Rlcy5tZA== IyMgQWdlbmRhCgotIEl0ZW0gMQotIEl0ZW0gMgo= --base64

Output:

{"status": "ok", "path": "Meeting Notes.md"}

Example 3: User asks about vault contents

User: "What's in my notes?"

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree --depth 2

Output:

{"tree": [{"path": "Projects", "type": "dir"}, {"path": "Projects/Plan.md", "type": "file"}, {"path": "Ideas.md", "type": "file"}]}

Then summarize for user: "You have a Projects folder with Plan.md, and an Ideas.md file at the root."

Example 4: Complex workflow with source and output notes

User: "According to the source note 'AI Digest Sources.md', browse the sources and output the digest to 'digest/2025-01-28-digest.md'"

Step 1 - Check what exists:

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl tree

Output:

{"tree": [{"path": "AI Digest Sources.md", "type": "file"}, {"path": "digest", "type": "dir"}, {"path": "digest/2025-01-27-digest.md", "type": "file"}]}

Step 2 - Validate:

Source "AI Digest Sources.md" exists
Output "digest/2025-01-28-digest.md" does NOT exist, will use create

(If source didn't exist: STOP and ask user "I couldn't find 'AI Digest Sources.md'. Did you mean one of these: [list alternatives]?")

(If output already existed: use append instead of create)

Step 3 - Read the source note (always base64 encode):

# echo -n "AI Digest Sources.md" | base64 → QUkgRGlnZXN0IFNvdXJjZXMubWQ=
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl read QUkgRGlnZXN0IFNvdXJjZXMubWQ= --base64

Output:

{"path": "AI Digest Sources.md", "content": "# AI Digest Sources\
\
- https://example.com/article1\
- https://example.com/article2\
"}

Step 4 - Browse sources and generate digest content (done by bot outside this skill)

Step 5 - Write output to vault (do NOT duplicate title as heading):

# echo -n "digest/2025-01-28-digest.md" | base64 → ZGlnZXN0LzIwMjUtMDEtMjgtZGlnZXN0Lm1k
# echo -n "## Summary\
\
Key points from today's sources...\
" | base64 → IyMgU3VtbWFyeQoKS2V5IHBvaW50cyBmcm9tIHRvZGF5J3Mgc291cmNlcy4uLgo=
ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl create ZGlnZXN0LzIwMjUtMDEtMjgtZGlnZXN0Lm1k IyMgU3VtbWFyeQoKS2V5IHBvaW50cyBmcm9tIHRvZGF5J3Mgc291cmNlcy4uLgo= --base64

(If output already existed, use append instead:)

ssh -4 -p 2222 ${VAULT_SSH_USER}@localhost vaultctl append ZGlnZXN0LzIwMjUtMDEtMjgtZGlnZXN0Lm1k IyMgVXBkYXRlCi4uLg== --base64

安全使用建议

This skill appears coherent with its purpose, but it depends on correct local setup and trust in the local helper (vaultctl). Before using: (1) verify you properly configured authorized_keys with a forced-command wrapper so the VPS key can only run vaultctl; (2) review and trust the local vaultctl implementation to ensure it enforces VAULT_ROOT and rejects path traversal or symlink escapes; (3) confirm the VPS SSH key is kept secure and that the VPS is trusted, since the tunnel gives that VPS the ability to run vaultctl on your machine; (4) note the script will read ~/.config/headless-vault-cli/mac-user as a fallback if VAULT_SSH_USER is unset — if you prefer, set VAULT_SSH_USER explicitly to avoid that; (5) ensure the VPS SSH host key is known (StrictHostKeyChecking is enabled) to avoid man-in-the-middle risk. If you cannot verify the forced-command and vaultctl sandboxing on your local machine, do not enable the tunnel or give the VPS access.

功能分析

Type: OpenClaw Skill Name: headless-vault-cli Version: 1.2.6 The skill is designed with strong security considerations, explicitly mitigating shell injection risks. The `SKILL.md` repeatedly instructs the AI agent to base64 encode all path and content arguments for commands like `resolve`, `info`, `read`, `create`, and `append`. Crucially, the `vault.sh` wrapper script independently performs base64 encoding on these arguments before passing them to the remote `vaultctl` command via SSH, providing a robust, layered defense. The skill also relies on a forced-command SSH setup on the remote machine, restricting the VPS's access to only `vaultctl` commands, and `vaultctl` itself is described as sandboxing paths. There is no evidence of malicious intent, data exfiltration, persistence, or prompt injection against the agent.

能力评估

✓ Purpose & Capability

Name/description (read/edit Markdown via SSH tunnel) matches the declared requirements (ssh binary, VAULT_SSH_USER) and the behavior in vault.sh (invokes ssh to run vaultctl remotely). No unrelated binaries or unrelated credentials are requested.

ℹ Instruction Scope

SKILL.md confines actions to a narrow set of vaultctl operations (tree, resolve, info, read, create, append) and emphasizes base64 encoding to avoid shell injection. It does rely on the user's correct setup (reverse tunnel, forced-command in authorized_keys, and vaultctl enforcing path sandboxing). Those are trust assumptions: the skill assumes the local vaultctl and forced-command correctly restrict actions — this is reasonable but user-dependent.

✓ Install Mechanism

Instruction-only skill with an included shell wrapper (vault.sh). There is no install step, no downloads, and no archive extraction. Risk from installation is minimal.

ℹ Credentials

Only VAULT_SSH_USER is required (with optional VAULT_SSH_PORT and VAULT_SSH_HOST), which is proportionate. One small inconsistency: registry metadata listed no required config paths, but SKILL.md and vault.sh reference a fallback config file (~/.config/headless-vault-cli/mac-user). That file is read for convenience if the env var is not set.

✓ Persistence & Privilege

always is false and the skill does not request persistent/system-wide privileges. It does read a per-user config fallback file in $HOME, which is within expected scope for a CLI wrapper.

版本历史

v1.2.6

Block set-root from remote access to prevent vault sandbox bypass

v1.2.5

Fix display name

v1.2.4

Fix set-root shell injection (base64 encode path), harden SSH to StrictHostKeyChecking=yes, declare config_paths in metadata

v1.2.3

Fix shell injection vulnerability: remove eval from wrapper, add metacharacter rejection, mandate base64 encoding for all args

v1.2.2

Fix metadata format: move env/bins declarations into metadata JSON (matching registry schema). Declare ssh as required binary and VAULT_SSH_USER as required env var in top-level metadata.

v1.2.1

Declare env vars in openclaw metadata format. Add Security Model section documenting forced-command SSH restriction. Add Prerequisites section. Remove references to external setup scripts. Remove vault.sh wrapper (instruction-only skill).

v1.2.0

Remove vault.sh wrapper from skill package. The skill is instruction-only — the agent calls vaultctl directly via SSH as documented in SKILL.md. Removes shell script that triggered false positive security scan findings.

v1.1.0

Fix security scan findings: align vault.sh with SKILL.md documentation. Add set-root command to wrapper. Use base64 encoding for create/append (matching SKILL.md). Declare env vars and config file paths in metadata. Add -4 IPv4 flag to SSH. Document check command.

v1.0.0

Initial release of headless-vault-cli. - Access and manage Markdown notes on your personal computer via SSH tunnel from Moltbot. - Supports listing, reading, creating, and appending to notes; provides note metadata. - Commands: tree, resolve, info, read, create, append, set-root. - All file operations use IPv4 SSH with JSON output. - Safe base64-encoded path/content handling for notes with spaces or special characters. - Strictly read/append-only: no delete, rename, move, or partial edit capabilities. - Comprehensive usage instructions, examples, and error-prevention tips included.

元数据

Slug headless-vault-cli

版本 1.2.6

许可证 —

累计安装 0

当前安装数 0

历史版本数 9

常见问题