📦 Secure Storage — 安全加密存储

v1.0.1

AES 加密存储，用于安全保存 API 密钥等敏感信息，确保数据在本地或云端均以加密形式存在，防止泄露与未授权访问。

0· 69·0 当前·0 累计

by @amd5 (c32)

安全开发工具 API工具

下载技能包

最后更新

2026/4/14

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

The skill's stated behavior (secure AES storage) roughly matches the code, but there are clear inconsistencies and weak/incorrect cryptographic handling that make the implementation misleading and unsafe for real secrets.

评估建议

This skill implements local encrypted storage but is misleading and not safe for high-value secrets as-is. Key issues to consider before installing or using: 1) SKILL.md claims the encryption key comes from an environment variable, but the script ignores env vars and uses a hardcoded SIMPLE_KEY ('openclaw-secure-storage-v1') with a static salt — an attacker who obtains the repo can decrypt stored values. 2) The code uses a simple AES-256-CBC scheme with a static salt and no authentication (no AE...

详细分析 ▾

ℹ 用途与能力

Name, description, and features (set/get/list/delete) match the included script's functionality. However the SKILL.md says the encryption key is read from an environment variable and the storage filename is '.secure-storage.json', whereas the script hardcodes the encryption key and writes to '$HOME/.openclaw/workspace/memory/secure-storage.json' — these mismatches are unexpected and unexplained.

⚠ 指令范围

SKILL.md instructs running the provided node script and warns the encryption key is from an env var; the actual script does not read any env var for the key and uses a hardcoded SIMPLE_KEY. The SKILL.md/README also references a different storage filename than the script uses. The script performs only local file I/O and no networking, but the documentation gives a false impression about how the key is provided.

✓ 安装机制

No install spec (instruction-only with one script). This has low install risk: nothing is downloaded or executed implicitly during install.

⚠ 凭证需求

SKILL.md claims the encryption key comes from an environment variable, but the skill.json declares no required env vars and the script ignores environment variables for the key. Instead the code uses a hardcoded SIMPLE_KEY and a static salt ('salt') when deriving an AES key — this is disproportionate to the claimed secure behavior and weakens confidentiality.

✓ 持久化与权限

Skill does not request 'always: true' and is user-invocable only. It writes a storage file under the user's HOME path (creates ~/.openclaw/workspace/memory/secure-storage.json) with file mode 0600, which is reasonable for a local CLI tool. It does not modify other skills or system-wide configs.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/4/13

AES加密存储，作者改为c32

● 可疑

安装命令

点击复制

官方npx clawhub@latest install secure-storage

镜像加速npx clawhub@latest install secure-storage --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库