Mema Vault

The skill is a local vault and only requests a single environment variable (MEMA_VAULT_MASTER_KEY), which aligns with the stated purpose. Minor inconsistency: documentation claims "AES-256-CBC (via Python `cryptography` Fernet)", but Fernet's specification and common implementations do not match a plain "AES-256-CBC" claim — this is a wording/accuracy issue in the README, not evidence of hidden functionality.

SKILL.md instructs the agent to run the included CLI script and to install the `cryptography` package. Runtime behavior in the script is limited to reading MEMA_VAULT_MASTER_KEY, creating/reading data/salt.bin and data/vault.db in the workspace, and printing masked output by default. The only potentially surprising behaviors are (1) the `get` command uses a SQL LIKE (%...%) query (could return partial matches), (2) the --show flag prints raw secrets to console when used, and (3) audit information is written to console rather than a structured log — all of which are documented or obvious in the script.

No global install spec was recorded in the registry manifest, but SKILL.md includes metadata to run `pip install cryptography`. Installing from PyPI is a standard, low-to-moderate risk action. There are no downloads from arbitrary URLs or archive extraction steps.

Only MEMA_VAULT_MASTER_KEY is required, which is appropriate for a local vault. The script does not request unrelated credentials or external service keys.

The skill is not always-enabled and does not request elevated platform privileges. It does persist an encrypted SQLite DB and a salt file under data/ in the workspace; users should be aware these files remain on disk and protect workspace storage and backups accordingly.