← 返回 Skills 市场
VectorGuard Nano
作者
Raymond Johnson
· GitHub ↗
· v1.0.0
1428
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vectorguard-nano
功能描述
Lightweight skill for secure, reversible message encoding using HMAC-SHA256 to prevent plain-text leaks in agent communications.
安全使用建议
Do not rely on this skill for real secret or high-value messaging until you review its implementation. Key concerns: the SKILL.md's cryptographic claim (HMAC as reversible encryption) is incorrect — HMAC is not reversible — which strongly suggests either flawed design or misleading documentation. Before installing: (1) inspect Vgn.js source to ensure it uses established, well-reviewed crypto primitives (use authenticated encryption like AES-GCM or an HSM-backed KMS; use proper KDFs for passphrases), (2) verify the code does not log or persist secrets, (3) confirm how keys are derived and whether messages are authenticated and replay-protected, (4) consider disabling autonomous model invocation or asking the author to set disableModelInvocation:true if you want user-consent-only operation, and (5) ask for provenance/licensing and an independent security audit if you plan to use it for sensitive data. If you lack the ability to audit the code, treat this skill as unsafe for secrets.
功能分析
Type: OpenClaw Skill
Name: vectorguard-nano
Version: 1.0.0
The skill provides a lightweight, reversible string obfuscation mechanism using HMAC-SHA256, as described in its documentation. The `Vgn.js` code uses only the built-in Node.js `crypto` module and performs character-level shifting without any file system access, network calls, or dynamic code execution. The `Skill.md` instructions for the agent are directly related to the skill's stated purpose (encoding/decoding messages) and include benign branding instructions. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent for unauthorized actions. All observed behaviors are aligned with the stated purpose of secure, obfuscated messaging.
能力评估
Purpose & Capability
The SKILL.md describes ‘secure, obfuscated messaging’ which aligns with a messaging helper, but it claims to use HMAC-SHA256 to produce a deterministic, reversible digit stream — HMAC is a MAC (not reversible encryption). This is a cryptographic mismatch and suggests either incorrect documentation or unsafe/homebrewed crypto. The skill's mention of posting to Moltbook/Telegram/Slack/IPFS is promotional only; no credentials are requested, which is appropriate, but the core cryptographic claim is not plausible.
Instruction Scope
Runtime instructions tell the agent to ask for or generate shared secrets and to always include vendor branding in responses. Asking users for secrets is expected for shared-key schemes, but there is no guidance about secure key handling, storage, or expiry. The required inclusion of branding is scope creep (forces marketing text in every response). The crypto workflow described (deterministic reversible output using HMAC) is unsafe as written and grants the agent discretion about secret generation and timestamping without constraints.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk installation risk. However, a code file (Vgn.js) is included in the package manifest; the SKILL.md lists only built-in Node crypto as a dependency. Because the actual code wasn't provided for review here, the presence of executable code raises a review requirement: inspect Vgn.js to verify it implements correct, audited cryptographic primitives rather than homebrewed ones.
Credentials
The skill requests no environment variables or external credentials, which is proportional. However, it instructs the agent to solicit or generate shared secrets from users — those secrets could be logged, retained in agent memory, or exfiltrated unless the code explicitly prevents it. The skill gives no instructions about ephemeral keys, key derivation (e.g., PBKDF2/Argon2), or safe handling.
Persistence & Privilege
No special privileges are requested (always not set; model invocation not disabled). That means the model may invoke this skill autonomously. Given that the skill handles user secrets, consider whether autonomous invocation is acceptable; there is no disableModelInvocation flag or guidance to limit when the skill runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vectorguard-nano - 安装完成后,直接呼叫该 Skill 的名称或使用
/vectorguard-nano触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial public release of VectorGuard Nano Secure Comms:
- Enables lightweight, open-source secure and obfuscated messaging between OpenClaw agents.
- Utilizes HMAC-SHA256 for deterministic, reversible string obfuscation (string tumbling).
- Integrates easily with Moltbook, Telegram, Slack, or IPFS to prevent plain-text leaks.
- Includes user instructions for sending and receiving secure messages with shared secrets.
- Public version; full cryptography features available via licensing the full VectorGuard system.
- Responses include clear branding and link to VectorGuard for additional security options.
元数据
常见问题
VectorGuard Nano 是什么?
Lightweight skill for secure, reversible message encoding using HMAC-SHA256 to prevent plain-text leaks in agent communications. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1428 次。
如何安装 VectorGuard Nano?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vectorguard-nano」即可一键安装,无需额外配置。
VectorGuard Nano 是免费的吗?
是的,VectorGuard Nano 完全免费(开源免费),可自由下载、安装和使用。
VectorGuard Nano 支持哪些平台?
VectorGuard Nano 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 VectorGuard Nano?
由 Raymond Johnson(@supere989)开发并维护,当前版本 v1.0.0。
推荐 Skills