credential-vault Security Report — Trusted | ClawSafe

5 /100

credential-vault

Encrypted credential storage for OpenClaw agents

Legitimate encrypted credential storage tool with solid AES-256-GCM cryptography, clear documentation, no network exfiltration, and no malicious behavior detected.

Skill Namecredential-vault

Duration35.1s

Enginepi

✓

Safe to install

This skill is safe to use. The flagged IOCs are test credentials in test files (expected) and a documentation URL - neither represents a security risk in production.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/vault.py:1 - Creates ~/.openclaw/vault/vault.enc.json
Environment	`READ`	`NONE`	✓ Aligned	SKILL.md mentions VAULT_MASTER_PASSWORD but code doesn't access os.environ
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Network	`NONE`	`NONE`	—	SKILL.md explicitly states 'Local only — No network sync (by design)'

2 High 3 findings

🔑

High API Key 疑似硬编码凭证

password = "test-password-12345"

tests/test_roundtrip.py:23

🔑

High API Key 疑似硬编码凭证

password = "correct-password"

tests/test_roundtrip.py:78

🔗

Medium External URL 外部 URL

https://openclaw.com

README.md:353

File Tree

13 files · 52.9 KB · 2028 lines

Markdown 3f · 1003L Python 9f · 1002L TOML 1f · 23L

├─ ▾ 📁 lib

│ ├─ 🐍 __init__.py Python 1L · 75 B

│ ├─ 🐍 audit.py Python 59L · 1.8 KB

│ ├─ 🐍 crypto.py Python 106L · 2.9 KB

│ ├─ 🐍 expiry.py Python 76L · 2.0 KB

│ └─ 🐍 store.py Python 267L · 8.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 1L · 40 B

│ └─ 🐍 vault.py Python 329L · 10.0 KB

├─ ▾ 📁 tests

│ ├─ 🐍 __init__.py Python 1L · 34 B

│ └─ 🐍 test_roundtrip.py Python 162L · 5.0 KB

├─ 📝 EXAMPLE.md Markdown 440L · 9.0 KB

├─ 📄 pyproject.toml TOML 23L · 432 B

├─ 📝 README.md Markdown 354L · 8.0 KB

└─ 📝 SKILL.md Markdown 209L · 5.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`cryptography`	`>=43.0.0`	pip	No	Uses minimum version constraint; recommend pinning to specific version
`pytest`	`>=8.0.0`	pip (dev)	No	Dev-only dependency

Security Positives

✓ Solid AES-256-GCM encryption with PBKDF2 (600,000 iterations) per OWASP recommendations

✓ Clear documentation with threat model explaining what is and isn't protected

✓ No network requests or data exfiltration

✓ Audit logging that explicitly excludes credential values

✓ Uses reputable cryptography library (pyca/cryptography)

✓ Secure file permissions (0600) set on vault file

✓ No credential harvesting from environment or sensitive paths

✓ No obfuscation or base64-encoded payloads

✓ Session key automatically cleared on lock command

✓ All functionality declared in SKILL.md

Scan Report

File Tree

Dependencies 2 items

Security Positives