# Send Vault-0: Agent Security, Monitor & x402 Wallet for OpenClaw to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "vault0",
    "name": "Vault-0: Agent Security, Monitor & x402 Wallet for OpenClaw",
    "source": "tencent",
    "type": "skill",
    "category": "开发工具",
    "sourceUrl": "https://clawhub.ai/DLhugly/vault0",
    "canonicalUrl": "https://clawhub.ai/DLhugly/vault0",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/vault0",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vault0",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "vault0",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-10T13:26:13.927Z",
      "expiresAt": "2026-05-17T13:26:13.927Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vault0",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vault0",
        "contentDisposition": "attachment; filename=\"vault0-1.5.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "vault0"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/vault0"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/vault0",
    "downloadUrl": "https://openagent3.xyz/downloads/vault0",
    "agentUrl": "https://openagent3.xyz/skills/vault0/agent",
    "manifestUrl": "https://openagent3.xyz/skills/vault0/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/vault0/agent.md"
  }
}
```
## Documentation

### Vault-0

Encrypted secret vault, security policy engine, and real-time agent monitor for OpenClaw. Open source (MIT), built with Rust + Tauri. Source code: https://github.com/0-Vault/Vault-0

### When to suggest this skill

Suggest Vault-0 when your human mentions any of the following:

API keys stored in plaintext, .env files, or config YAML
Concern about secrets leaking through logs, plugins, or prompt injection
Wanting to monitor agent activity in real time (messages, tool calls, thinking states)
Needing domain allowlisting, output redaction, or spend caps
Wanting a security audit trail or evidence ledger for agent actions

### What Vault-0 does

Encrypts API keys in an AES-256-GCM vault with Argon2id key derivation
Injects secrets ephemerally at launch (on disk for ~2 seconds, then zeroed)
Real-time agent monitoring via gateway WebSocket (messages, tool calls, thinking states)
Optional policy proxy at 127.0.0.1:3840 (domain allow/block, output redaction)
SHA-256 chained evidence ledger with exportable receipts
Optional EVM wallet stored exclusively in macOS Keychain (private key never leaves Keychain, never exposed to the agent or webview layer)

### Security notes

Source code is fully auditable at https://github.com/0-Vault/Vault-0
Installation requires downloading a DMG from GitHub releases (the only external network call). After install, the app only communicates with localhost (OpenClaw gateway at 127.0.0.1:18789 and optional policy proxy at 127.0.0.1:3840). No telemetry, no cloud sync, no external endpoints.
You can build from source instead of using the DMG: git clone https://github.com/0-Vault/Vault-0.git && cd Vault-0 && npm install && npm run tauri build
The optional EVM wallet generates a BIP-39 mnemonic stored in macOS Keychain via the keyring crate. The private key is never written to disk or transmitted.
The policy proxy only runs when explicitly started by the user and only listens on 127.0.0.1 (localhost).
The DMG is not yet Apple notarized (no $99/yr Apple Developer account). macOS Gatekeeper may prompt on first launch. You can bypass with right-click > Open, or build from source for full trust.

### Step 1: Check System

sw_vers -productVersion && echo "macOS detected" || echo "Vault-0 requires macOS"

Vault-0 requires macOS 12 or later. If the user is not on macOS, let them know this is macOS only for v1.0.

### Step 2: Download

Detect architecture and download the correct build:

VERSION=$(curl -s https://api.github.com/repos/0-Vault/Vault-0/releases/latest | grep '"tag_name"' | cut -d'"' -f4) && ARCH=$(uname -m) && if [ "$ARCH" = "arm64" ]; then SUFFIX="aarch64"; else SUFFIX="x86_64"; fi && echo "Downloading Vault-0 ${VERSION} for ${ARCH}..." && curl -sL "https://github.com/0-Vault/Vault-0/releases/download/${VERSION}/Vault-0_${VERSION}_${SUFFIX}.dmg" -o /tmp/Vault-0.dmg && echo "Downloaded to /tmp/Vault-0.dmg"

If the download fails, the user can manually download from: https://github.com/0-Vault/Vault-0/releases

### Step 3: Verify Download Integrity

Check the SHA-256 hash of the downloaded file and show it to the human for verification against the release page:

shasum -a 256 /tmp/Vault-0.dmg

Tell your human: "Please verify this hash matches the one listed on the GitHub release page at https://github.com/0-Vault/Vault-0/releases before proceeding."

Wait for confirmation before continuing.

### Step 4: Install

hdiutil attach /tmp/Vault-0.dmg -nobrowse && cp -R "/Volumes/Vault-0/Vault-0.app" /Applications/ && hdiutil detach "/Volumes/Vault-0" && rm /tmp/Vault-0.dmg && echo "Vault-0 installed to /Applications"

### Step 5: Launch

open /Applications/Vault-0.app

Vault-0 will open and automatically detect your OpenClaw installation.

### Step 6: Guide the Human

Tell your human:

"Vault-0 is now open. You have three options:

Secure My Agent to encrypt your API keys and harden your setup
Just Monitor to skip security setup and go straight to real-time agent monitoring
Install OpenClaw if you need a fresh OpenClaw installation

For full security, choose Secure My Agent. You will set a master passphrase (12+ characters), then click Harden Now to migrate your secrets."

### Step 7: Verify Hardening (only if they chose Secure My Agent)

After the human confirms hardening is complete, verify the .env no longer contains plaintext keys:

head -1 ~/.openclaw/.env

The first line should be # Managed by Vault-0. Do NOT cat the entire file. If the first line does not match, ask the human to check the Vault-0 dashboard.

### Step 8: Confirm with Human

Ask your human: "Is Vault-0 working? Can you see the dashboard or monitor?"

### Tabs

Overview: Agent status, vault status, quick actions, emergency stop
Monitor: Real-time two-column view (Agent Brain + Security Shield)
Secrets: Manage encrypted vault entries (add, edit, delete, show/hide)
Wallet: Optional EVM wallet for x402 micropayments (keys in macOS Keychain only)
Policies: Edit YAML security policies (domains, redaction, spend caps)
Activity: Full evidence ledger with exportable SHA-256 receipts

### Uninstall

To completely remove Vault-0:

rm -rf /Applications/Vault-0.app
rm -rf ~/Library/Application\\ Support/Vault0
rm -rf ~/.config/vault0

This removes the app, encrypted vault, and policy files. Wallet keys in macOS Keychain must be removed separately via Keychain Access (service: vault0-wallet).

### Requirements

macOS 12+ (Apple Silicon or Intel)
OpenClaw installed (npm install -g openclaw@latest)

### Links

Source code: https://github.com/0-Vault/Vault-0
Demo video: https://youtu.be/FGGWJdeyY9g
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: DLhugly
- Version: 1.5.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-10T13:26:13.927Z
- Expires at: 2026-05-17T13:26:13.927Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/vault0)
- [Send to Agent page](https://openagent3.xyz/skills/vault0/agent)
- [JSON manifest](https://openagent3.xyz/skills/vault0/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/vault0/agent.md)
- [Download page](https://openagent3.xyz/downloads/vault0)