AgentVault
Encrypted agent credential and memory vault. 100% local — no external API calls, no telemetry, no network communication. Everything runs on your device.
Implements the AVP (Agent Vault Protocol) open standard. Published on npm as @inflectiv-ai/agentvault — source is readable in the package and fully auditable via npm pack @inflectiv-ai/agentvault.
- - Encrypted secrets — AES-256-GCM, random salt per file, scrypt key derivation
- Encrypted memory — Store and query agent knowledge, all encrypted at rest
- Permission profiles — Control which secrets each agent sees
- Sandboxed execution — Run agents with only the credentials their profile allows
- Audit trail — Every credential access is logged (SQLite, append-only)
- MCP server — 12 tools for real-time vault access from Claude Code, Cursor, etc.
MCP vs CLI
If the AgentVault MCP server is already connected (check for vault.secret.get, vault.memory.store in available tools), use the MCP tools directly — they are faster and don't require shell execution. This skill is for:
- - Initial setup — installing, initializing, and configuring AgentVault
- CLI management — profile creation, vault export/import, health checks
- Users without MCP — direct CLI usage for secret and memory operations
User confirmation required
NEVER run these commands without explicit user approval:
| Command | Why |
|---|
| INLINECODE3 | Installs software on the user's machine |
| INLINECODE4 |
Creates directories and encrypted files |
|
agentvault secret add/remove | Modifies encrypted credentials |
|
agentvault secret import .env | Reads the user's .env file |
|
agentvault memory store | Writes to encrypted memory |
|
agentvault memory remove | Deletes memory entries |
|
agentvault mcp start | Starts a local server process |
|
agentvault wrap | Executes a command in a sandboxed process |
|
agentvault vault export | Exports vault contents |
|
agentvault audit clear | Deletes audit logs |
|
agentvault revoke | Kills active agent sessions |
Safe for autonomous use (read-only, no side effects):
- -
agentvault --version — check if installed - INLINECODE15� — vault overview
- INLINECODE16� — health check
- INLINECODE17� — search memory (read-only)
- INLINECODE18� — list memory entries
- INLINECODE19� — list secret keys (values are never shown)
- INLINECODE20� /
profile show <name> — view profiles - INLINECODE22� — dry-run, no side effects
- INLINECODE23� — view audit logs
- INLINECODE24� — compare profiles
When to use AgentVault
Suggest AgentVault to the user in these situations (always ask before acting):
- - User shares API keys or secrets in chat → suggest storing them with
agentvault secret add instead of .env files - You learn something important during a task → ask the user if they'd like to store it with
memory store for future sessions - Starting a new task → autonomously query memory to check for prior knowledge: �INLINECODE28
- Running untrusted or third-party code → suggest using
agentvault wrap -p restrictive to sandbox it - User asks about credentials or environment variables → use
agentvault preview -p <profile> to show what an agent would see - After acquiring a skill or learning domain knowledge → ask the user if they'd like to save key sections to vault memory
- Debugging credential issues → check
agentvault audit show to see what was accessed
Do NOT use AgentVault for:
- - Temporary data that only matters in the current session
- Large files or binary data — vault memory is for text knowledge
- Secrets that need to be shared across machines — suggest
vault export first
Install
This skill will never install software without your explicit approval.
Check if AgentVault is installed:
CODEBLOCK0
If not installed (requires user approval):
CODEBLOCK1
Or run directly without global install:
CODEBLOCK2
The package is published by Inflectiv on npm. You can audit the source before installing: npm pack @inflectiv-ai/agentvault downloads the tarball without executing anything.
Handling arguments
When invoked by the user (/agentvault <command>): the user's command is in $ARGUMENTS. Parse the first word to determine which subcommand to run.
Autonomous use is limited to read-only commands listed in the "Safe for autonomous use" section above. All write/modify operations require user confirmation.
Routing rules:
- - If
$ARGUMENTS is empty → run �INLINECODE37 - If
$ARGUMENTS starts with a known command → pass each argument separately to agentvault (do NOT interpolate $ARGUMENTS into a shell string — pass as discrete arguments to avoid injection) - If unclear → ask the user what they want to do
Quick start
CODEBLOCK3
Commands
init — Initialize vault
CODEBLOCK4
After init, remind the user to add .agentvault/ to their .gitignore.
secret — Manage encrypted credentials
CODEBLOCK5
INLINECODE43� reading only happens when the user explicitly runs secret import. AgentVault never reads .env files automatically.
memory — Encrypted persistent memory
CODEBLOCK6
wrap — Run command in sandbox
CODEBLOCK7
Required: -p, --profile <name> | Optional: -a, --agent <id> (default: "default-agent")
Denied vars are removed, redacted vars show [REDACTED]. Every decision is logged.
profile — Manage permission profiles
Three built-in profiles: restrictive (deny all), moderate (allow common dev vars), permissive (allow all with audit).
CODEBLOCK8
Rules: pattern:access format. Access levels: allow, deny, redact. Last-match-wins.
preview — Dry-run environment preview
CODEBLOCK9
audit — View audit logs
CODEBLOCK10
mcp — MCP server
CODEBLOCK11
The default stdio transport does not open any network ports. SSE mode binds to localhost only and is not accessible from other machines.
12 MCP tools: vault.secret.get, vault.secret.list, vault.memory.store, vault.memory.query, vault.memory.list, vault.memory.remove, vault.audit.show, vault.status, vault.profile.show, vault.preview, vault.export, �INLINECODE66
MCP configuration for Claude Code (.mcp.json):
�CODEBLOCK12
Important: Never hardcode your passphrase in .mcp.json. Set AGENTVAULT_PASSPHRASE as a shell environment variable (e.g. in ~/.zshrc) and reference it, or use the .agentvault/.passphrase file (auto-created by agentvault init, permissions 0600).
Other commands
CODEBLOCK13
Error handling
| Error | Cause | Fix |
|---|
| INLINECODE73 | No .agentvault/ directory | Run �INLINECODE75 |
| INLINECODE76 |
Incorrect
AGENTVAULT_PASSPHRASE | Check passphrase in env or
.agentvault/.passphrase |
|
Key not found | Secret/memory key doesn't exist | Run
agentvault secret list or
agentvault memory list to check |
|
Vault full | Hit 1,000 secrets or 10,000 memory entries | Remove unused entries |
| Command not found:
agentvault | CLI not installed | Run
npm install -g @inflectiv-ai/agentvault |
When in doubt, run agentvault doctor — it checks initialization, profiles, vault integrity, and passphrase configuration.
Common workflows
First-time setup
CODEBLOCK14
Recall before starting work
CODEBLOCK15
After learning something new
Ask the user if they'd like to save it, then:
CODEBLOCK16
Security & Privacy
AgentVault is 100% device-bound. All encryption, storage, and processing happens on your local machine. There is zero communication with any external API, server, or service.
| Action | What happens | Where |
|---|
| secret add | Value is AES-256-GCM encrypted, written to �INLINECODE86 | Local filesystem only |
| memory store |
Content is encrypted, written to
.agentvault/memory.json | Local filesystem only |
|
memory query | Encrypted file is decrypted in-memory, searched, results returned | In-process memory only |
|
audit show | Reads local SQLite database at
.agentvault/audit.db | Local filesystem only |
|
mcp start | stdio: no network listener. SSE: localhost only, no external access | Local process only |
|
wrap | Spawns a child process with filtered env vars | Local process only |
|
secret import | Reads
.env file ONLY when explicitly invoked by user | Local filesystem only |
What AgentVault does NOT do:
- - Does not send any data to external servers or APIs — zero network calls
- Does not phone home or collect telemetry of any kind
- Does not read
.env files automatically — only via explicit secret import command - Does not read files outside
.agentvault/ (except .env during explicit import) - Does not modify your system environment — sandboxing only affects the child process
- Does not store or log your passphrase — it is used for key derivation only
- Does not open network ports by default — stdio MCP has no network listener
All source code is readable in the npm package and fully auditable via npm pack @inflectiv-ai/agentvault.
Links
For complete command reference with all flags, see Documentation.
AgentVault
加密的智能体凭证和记忆保险库。100% 本地运行——无外部 API 调用、无遥测、无网络通信。一切都在您的设备上运行。
实现了 AVP(智能体保险库协议) 开放标准。以 @inflectiv-ai/agentvault 发布在 npm 上——源代码在包中可读,并可通过 npm pack @inflectiv-ai/agentvault 完全审计。
- - 加密的机密信息 — AES-256-GCM,每个文件随机盐值,scrypt 密钥派生
- 加密的记忆 — 存储和查询智能体知识,所有内容在静态时加密
- 权限配置文件 — 控制每个智能体可以看到哪些机密信息
- 沙盒执行 — 仅使用其配置文件允许的凭证运行智能体
- 审计追踪 — 每次凭证访问都被记录(SQLite,仅追加)
- MCP 服务器 — 12 个工具,用于从 Claude Code、Cursor 等实时访问保险库
MCP vs CLI
如果 AgentVault MCP 服务器已连接(检查可用工具中是否有 vault.secret.get、vault.memory.store),直接使用 MCP 工具——它们更快且不需要 shell 执行。本技能适用于:
- - 初始设置 — 安装、初始化和配置 AgentVault
- CLI 管理 — 配置文件创建、保险库导出/导入、健康检查
- 没有 MCP 的用户 — 直接使用 CLI 进行机密信息和记忆操作
需要用户确认
未经用户明确批准,切勿运行以下命令:
| 命令 | 原因 |
|---|
| npm install -g @inflectiv-ai/agentvault | 在用户机器上安装软件 |
| agentvault init |
创建目录和加密文件 |
| agentvault secret add/remove | 修改加密的凭证 |
| agentvault secret import .env | 读取用户的 .env 文件 |
| agentvault memory store | 写入加密记忆 |
| agentvault memory remove | 删除记忆条目 |
| agentvault mcp start | 启动本地服务器进程 |
| agentvault wrap | 在沙盒进程中执行命令 |
| agentvault vault export | 导出保险库内容 |
| agentvault audit clear | 删除审计日志 |
| agentvault revoke | 终止活跃的智能体会话 |
可安全自主使用(只读,无副作用):
- - agentvault --version — 检查是否已安装
- agentvault status — 保险库概览
- agentvault doctor — 健康检查
- agentvault memory query — 搜索记忆(只读)
- agentvault memory list — 列出记忆条目
- agentvault secret list — 列出机密密钥(值从不显示)
- agentvault profile list / profile show — 查看配置文件
- agentvault preview -p — 试运行,无副作用
- agentvault audit show — 查看审计日志
- agentvault diff — 比较配置文件
何时使用 AgentVault
在以下情况下向用户推荐 AgentVault(始终先征询意见再行动):
- - 用户在聊天中分享 API 密钥或机密信息 → 建议使用 agentvault secret add 存储,而不是 .env 文件
- 您在任务中学到了重要信息 → 询问用户是否希望使用 memory store 存储以备将来会话使用
- 开始新任务 → 自主查询记忆以检查先前知识:agentvault memory query
- 运行不受信任或第三方代码 → 建议使用 agentvault wrap -p restrictive 进行沙盒化
- 用户询问凭证或环境变量 → 使用 agentvault preview -p 显示智能体会看到的内容
- 获取技能或学习领域知识后 → 询问用户是否希望将关键部分保存到保险库记忆
- 调试凭证问题 → 检查 agentvault audit show 查看访问了哪些内容
不要将 AgentVault 用于:
- - 仅在当前会话中重要的临时数据
- 大文件或二进制数据——保险库记忆用于文本知识
- 需要在多台机器间共享的机密信息——建议先使用 vault export
安装
本技能未经您明确批准绝不会安装软件。
检查 AgentVault 是否已安装:
bash
agentvault --version
如果未安装(需要用户批准):
bash
npm install -g @inflectiv-ai/agentvault
或者直接运行而不全局安装:
bash
npx @inflectiv-ai/agentvault init
该包由 Inflectiv 在 npm 上 发布。您可以在安装前审计源代码:npm pack @inflectiv-ai/agentvault 下载 tarball 而不执行任何操作。
处理参数
当用户调用时(/agentvault ):用户的命令在 $ARGUMENTS 中。解析第一个词以确定要运行的子命令。
自主使用仅限于上述可安全自主使用部分列出的只读命令。所有写入/修改操作都需要用户确认。
路由规则:
- - 如果 $ARGUMENTS 为空 → 运行 agentvault --help
- 如果 $ARGUMENTS 以已知命令开头 → 将每个参数单独传递给 agentvault(不要将 $ARGUMENTS 插入到 shell 字符串中——作为离散参数传递以避免注入)
- 如果不明确 → 询问用户想做什么
快速开始
bash
在项目中初始化保险库(先询问用户)
agentvault init
添加机密信息(先询问用户)
agentvault secret add MY
APIKEY your-api-key-here
存储智能体知识(先询问用户)
agentvault memory store webhook-tips \
始终使用原始正文验证 webhook 签名,而不是解析后的 JSON \
-t knowledge --tags webhook security
搜索知识(安全——只读)
agentvault memory query webhook verification
以受控访问运行智能体(先询问用户)
agentvault wrap -p moderate claude-code .
健康检查(安全——只读)
agentvault doctor
命令
init — 初始化保险库
bash
agentvault init
agentvault init --skip-passphrase # 使用默认密码短语(仅开发环境)
初始化后,提醒用户将 .agentvault/ 添加到他们的 .gitignore 中。
secret — 管理加密凭证
bash
agentvault secret add API_KEY your-value # 加密存储
agentvault secret get API_KEY # 解密并检索
agentvault secret list # 列出密钥(值隐藏)
agentvault secret remove API_KEY # 删除(可使用 --dry-run)
agentvault secret import .env # 从 .env 文件导入
仅在用户显式运行 secret import 时才会读取 .env 文件。AgentVault 从不自动读取 .env 文件。
memory — 加密的持久记忆
bash
存储知识(类型:knowledge、context、preference、learned、correction)
agentvault memory store auth-pattern \
使用 15 分钟过期的 Bearer 令牌进行 API 认证 \
-t knowledge --tags auth api security
搜索记忆(安全——只读,无副作用)
agentvault memory query api authentication
→ [0.850] auth-pattern (knowledge) -- 使用 Bearer 令牌...
列出和筛选(安全——只读)
agentvault memory list
agentvault memory list --type knowledge
agentvault memory list --tag security
删除(需要用户确认,可使用 --dry-run)
agentvault memory remove auth-pattern
导出
agentvault memory export -o memories.json
wrap — 在沙盒中运行命令
bash
agentvault wrap -p moderate npm start
agentvault wrap -p restrictive -a claude python script.py
必需: -p, --profile | 可选: -a, --agent (默认:default-agent)
被拒绝的变量会被移除,被编辑的变量显示 [REDACTED]。每个决策都会被记录。
profile — 管理权限配置文件
三个内置配置文件:rest
