← 返回 Skills 市场
nexaiguy

Nex Vault

作者 Nex AI · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
89
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nex-vault
功能描述
Secure local contract and document vault for managing all business agreements and important documents with automatic expiration tracking and compliance alert...
安全使用建议
This package appears to implement the advertised local document vault, but there are a few mismatches and things to check before installing: - Env var name mismatch: the registry requests VAULT_TELEGRAM_TOKEN and VAULT_TELEGRAM_CHAT_ID, but the code checks NEX_VAULT_TELEGRAM_BOT_TOKEN and NEX_VAULT_TELEGRAM_CHAT_ID. Confirm which names to set (or prefer using the CLI 'config set-telegram-*' commands) so your Telegram alerts actually work and you don't accidentally put secrets in the wrong variable. - Telegram privacy: alerts are sent to the configured Telegram chat via api.telegram.org and will contain document names and messages. Ensure you use a trusted chat (e.g., a private admin chat) and be comfortable with those notifications containing potentially sensitive document metadata. - File handling: when you 'add' a document the tool reads the path you supply and stores that path in the DB rather than necessarily copying the file into ~/.nex-vault. If you want an isolated copy inside the vault, verify whether the tool copies files (review full source) or keep your documents in a controlled directory. - Optional binaries: pdftotext and tesseract are used for extraction but are optional; the registry only declares python3. If you need full parsing, install poppler-utils/pdftotext and tesseract as documented. - Code review: while no network endpoints other than Telegram are present in the reviewed files, if you are concerned about sensitive data you should inspect the rest of the code (some files were truncated in the listing) before trusting it with real contracts. Running setup.sh will create a venv and a CLI in your user home — considered low-risk but run it in an account you control and optionally in a disposable environment first. If these points are acceptable and you verify which env var names the installed CLI expects, the package appears usable for local contract tracking. If you are unsure, ask the publisher for clarification about the env var names and whether the tool copies files into the vault data directory.
功能分析
Type: OpenClaw Skill Name: nex-vault Version: 1.0.0 The nex-vault skill bundle provides a local document management system with OCR and Telegram notifications, but it contains a critical shell injection vulnerability in `nex-vault.py`. The `cmd_config` function uses `subprocess.run` with `bash -c` to append unsanitized user input (Telegram tokens and chat IDs) directly to the `~/.bashrc` file, which could allow arbitrary command execution if the input is manipulated. While the core logic in `lib/doc_parser.py` and `lib/alerter.py` (which communicates with `api.telegram.org`) aligns with the stated purpose of tracking contracts, the lack of input sanitization in configuration commands poses a significant security risk.
能力标签
cryptocan-make-purchases
能力评估
Purpose & Capability
The code and CLI behavior match the described purpose (local document vault, date extraction, alerts, optional Telegram notifications). Required binary python3 is appropriate, and optional use of pdftotext/tesseract for parsing is consistent with the feature set. However, the registry/manifest lists environment variables VAULT_TELEGRAM_TOKEN and VAULT_TELEGRAM_CHAT_ID while the code reads NEX_VAULT_TELEGRAM_BOT_TOKEN and NEX_VAULT_TELEGRAM_CHAT_ID (different names). The skill also includes code files and a setup.sh installer despite being described as instruction-only in the registry metadata, which is inconsistent but not necessarily malicious.
Instruction Scope
Runtime instructions and the CLI operate on user-supplied file paths and local SQLite storage (expected). The setup script creates a venv, initializes a DB, and installs a CLI wrapper in ~/.local/bin. One behavioral detail to verify: when adding a document the tool records the original file path (it appears not to copy files into the vault directory), so the tool will read files wherever the provided path points — this is expected for a local vault but has privacy implications if you supply paths to unrelated files.
Install Mechanism
Installation is done via bundled setup.sh which creates a local virtualenv, installs python-docx and Pillow via pip, initializes the DB, and writes a wrapper in ~/.local/bin. There are no remote downloads or untrusted URLs in the install script. The installer modifies only user-home locations (~/ .nex-vault and ~/.local/bin).
Credentials
The only external credentials the tool uses are Telegram bot token and chat id, which is proportionate for sending alerts. However, the declared required env vars in the registry (VAULT_TELEGRAM_TOKEN, VAULT_TELEGRAM_CHAT_ID) do NOT match the environment variable names the code actually reads (NEX_VAULT_TELEGRAM_BOT_TOKEN, NEX_VAULT_TELEGRAM_CHAT_ID). This mismatch can cause misconfiguration (you may set tokens the tool never reads) or confusion about where secrets are stored. Also the README and CLI mention commands to set Telegram tokens via 'nex-vault config', so requiring env vars at publish-time may be unnecessary or inconsistent.
Persistence & Privilege
The skill does not request always:true and will not be force-included. Its installer writes into the user's home directory (creates ~/.nex-vault and a venv, and installs a CLI shim in ~/.local/bin) which is expected for a local CLI tool. The installer suggests adding a cron entry but does not create system-wide services or modify other skills/configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install nex-vault
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /nex-vault 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
Slug nex-vault
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Nex Vault 是什么?

Secure local contract and document vault for managing all business agreements and important documents with automatic expiration tracking and compliance alert... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 89 次。

如何安装 Nex Vault?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install nex-vault」即可一键安装,无需额外配置。

Nex Vault 是免费的吗?

是的,Nex Vault 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Nex Vault 支持哪些平台?

Nex Vault 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Nex Vault?

由 Nex AI(@nexaiguy)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论