Is lokoweb3/x1-vault-memory safe?

heartbeat.js automatically triggers a full workspace restore from the latest vault-log.json CID if SOUL.md is smaller than 10 bytes or memory/ is empty. The restored content is only validated by a SHA-256 checksum that was produced by the same backup process. An adversary who can write to vault-log.json (e.g., via another compromised skill or agent memory) and pin content to any Pinata account can replace the agent's core personality files without user interaction.

backup.js reads the wallet as const wallet = JSON.parse(...) then derives the encryption key from Buffer.from(wallet.secretKey). The wallet.json setup instructions generate the file as a plain JSON array (JSON.stringify([...kp.secretKey])), so wallet.secretKey is undefined. Buffer.from(undefined) throws a TypeError, causing backup to fail entirely. Users following the README believe their agent data is encrypted and backed up, but no backup is actually created. This is either a serious bug or intentional sabotage of the backup guarantee.

Both backup.js and anchor.js load the full 64-byte Solana keypair secret from wallet.json into Node.js Buffer memory during every backup/restore/anchor operation. If the agent process memory is dumped or if a prompt injection causes the agent to log its context, the private key is exposed. The skill documentation recommends using a dedicated wallet, but this only limits financial exposure, not the key exposure itself.

The SKILL.md documentation includes a Honey Badger Bot Telegram link containing the referral code ref_HEBCU2E3. The author earns a commission when users sign up through this link. This represents undisclosed monetization embedded in skill documentation that an agent might surface or click on behalf of users.

The backup operation tarballs IDENTITY.md, SOUL.md, USER.md, TOOLS.md, and the entire memory/ directory and uploads them to Pinata's IPFS pinning service. Even with AES-256-GCM encryption (if the wallet bug is fixed), the encrypted blob is stored on Pinata's infrastructure indefinitely. Pinata's free tier retains data, and CIDs are publicly accessible by anyone who knows the hash.

restore.js downloads an encrypted blob from gateway.pinata.cloud and, after decryption, extracts a tar archive directly to the workspace root (two levels above the skill directory). The only integrity check is a SHA-256 checksum embedded in the backup itself — there is no signature verification, no server-side access control, and no proof that the content originated from the user's own backup. A compromised Pinata account or man-in-the-middle at the IPFS gateway could serve a manipulated archive.

SKILL.md and package.json declare version 0.2.0 with changelog entries for v1.1.0 and v1.1.2, while _meta.json shows the latest published version as 0.1.10. This inconsistency suggests either the published registry metadata is stale or the version numbers in documentation were fabricated to imply a more mature codebase with security fixes.

anchor.js submits signed transactions to X1 mainnet using the user's wallet keypair. Each backup incurs ~0.002 XNT in transaction fees. If vault-log.json or heartbeat cron is configured aggressively, repeated anchor calls could drain a small wallet. The transactions also permanently associate the user's public key with their backup CIDs on a public blockchain.

The git clone operation connected only to GitHub (140.82.112.4). No unexpected outbound connections, process spawning, or filesystem modifications outside the skill directory were observed during installation. The sparse-checkout correctly isolated only the x1-vault-memory subtree.