avault - competitors #1

New issue

Open

opened 2026-02-20 13:46:22 +00:00 by nazim · 0 comments

nazim commented 2026-02-20 13:46:22 +00:00

Owner

Copy link

Competitor Landscape

Survey of existing OpenClaw secret management approaches (as of 2026-02-20). 103 repos tagged openclaw-skill on GitHub, ~10 related to secrets.

Direct Competitors

1. openclaw-secure ★9

• URL: https://github.com/seomikewaltman/openclaw-secure
• Approach: Node.js, pluggable backends (macOS Keychain, 1Password, Bitwarden, AWS, GCloud, Azure, Doppler, HashiCorp Vault)
• How it works: Replaces secrets in config with [STORED_IN_KEYCHAIN] placeholders, restores at runtime
• Strengths: 10 backend options, auto-discovery of secrets, LaunchAgent integration (macOS boot security)
• Weaknesses: macOS-centric (Keychain is default), relies on third-party password managers, no encryption protocol of its own, not designed for headless VPS
• vs avault: Different philosophy — delegates to existing infra vs. self-sovereign encryption. avault works on any Linux VPS with zero third-party deps.

2. oauth3-openclaw ★2

• URL: https://github.com/amiller/oauth3-openclaw
• Approach: TEE (Trusted Execution Environment) proxy. Agent submits code, human approves, code runs in Deno sandbox inside enclave with keys injected
• Strengths: Agent never sees the key at all, LLM-reviewed execution, session-based auto-approval
• Weaknesses: Requires TEE hardware (dstack CVM / Phala), heavy infrastructure, not self-hostable on a $5 VPS
• vs avault: Closest in philosophy (human-approved access) but architecturally opposite (centralized TEE vs. decentralized Nostr)

3. gopass-skill ★0

• URL: https://github.com/brenner-axiom/gopass-skill
• Approach: GPG-encrypted secrets via gopass CLI
• Strengths: Battle-tested GPG encryption, git-native (gopass stores in git)
• Weaknesses: GPG key management complexity, no remote signing, no daemon/RAM-only mode
• vs avault: Similar encrypted-at-rest approach but no NIP-46 remote signing or RAM-only daemon

Adjacent / Partial Overlap

4. ClawSec (prompt-security)

• URL: https://github.com/prompt-security/clawsec
• What: Security suite — drift detection, CVE monitoring, file integrity, audit scripts
• Not a secrets manager but relevant to the security ecosystem

5. openclaw-secrets ★0

• URL: https://github.com/amor71/openclaw-secrets
• What: External secrets management contribution (minimal info)

6. hal-ai-agent/openclaw-manager ★0

• URL: https://github.com/hal-ai-agent/openclaw-manager
• What: DigitalOcean provisioning with 1Password secrets

7. kryptobaseddev/openclaw-cleo ★5

• URL: https://github.com/kryptobaseddev/openclaw-cleo
• What: Proxmox installer with Doppler secrets integration

8. kcalvelli/GenX64 ★0

• URL: https://github.com/kcalvelli/GenX64
• What: NixOS module with secrets management for OpenClaw agents

avault Unique Differentiators

Feature	avault	openclaw-secure	oauth3	gopass-skill
Encryption	NIP-44 (XChaCha20)	Delegates to backend	TEE enclave	GPG
Remote signing	NIP-46 (phone as key)	❌	Human approval UI	❌
RAM-only secrets	✅ daemon mode	❌ (restores to config)	✅ (in TEE)	❌
Works on $5 VPS	✅	❌ (needs Keychain/1PW)	❌ (needs TEE)	✅
Third-party deps	None (Nostr relays)	1Password/Bitwarden/etc	dstack/Phala	GPG
Self-sovereign	✅	❌	❌	Partially
Auto-commit vault	✅	❌	N/A	✅ (gopass)

## Competitor Landscape Survey of existing OpenClaw secret management approaches (as of 2026-02-20). 103 repos tagged `openclaw-skill` on GitHub, ~10 related to secrets. ### Direct Competitors #### 1. openclaw-secure ★9 - **URL:** https://github.com/seomikewaltman/openclaw-secure - **Approach:** Node.js, pluggable backends (macOS Keychain, 1Password, Bitwarden, AWS, GCloud, Azure, Doppler, HashiCorp Vault) - **How it works:** Replaces secrets in config with `[STORED_IN_KEYCHAIN]` placeholders, restores at runtime - **Strengths:** 10 backend options, auto-discovery of secrets, LaunchAgent integration (macOS boot security) - **Weaknesses:** macOS-centric (Keychain is default), relies on third-party password managers, no encryption protocol of its own, not designed for headless VPS - **vs avault:** Different philosophy — delegates to existing infra vs. self-sovereign encryption. avault works on any Linux VPS with zero third-party deps. #### 2. oauth3-openclaw ★2 - **URL:** https://github.com/amiller/oauth3-openclaw - **Approach:** TEE (Trusted Execution Environment) proxy. Agent submits code, human approves, code runs in Deno sandbox inside enclave with keys injected - **Strengths:** Agent never sees the key at all, LLM-reviewed execution, session-based auto-approval - **Weaknesses:** Requires TEE hardware (dstack CVM / Phala), heavy infrastructure, not self-hostable on a $5 VPS - **vs avault:** Closest in philosophy (human-approved access) but architecturally opposite (centralized TEE vs. decentralized Nostr) #### 3. gopass-skill ★0 - **URL:** https://github.com/brenner-axiom/gopass-skill - **Approach:** GPG-encrypted secrets via gopass CLI - **Strengths:** Battle-tested GPG encryption, git-native (gopass stores in git) - **Weaknesses:** GPG key management complexity, no remote signing, no daemon/RAM-only mode - **vs avault:** Similar encrypted-at-rest approach but no NIP-46 remote signing or RAM-only daemon ### Adjacent / Partial Overlap #### 4. ClawSec (prompt-security) - **URL:** https://github.com/prompt-security/clawsec - **What:** Security suite — drift detection, CVE monitoring, file integrity, audit scripts - **Not a secrets manager** but relevant to the security ecosystem #### 5. openclaw-secrets ★0 - **URL:** https://github.com/amor71/openclaw-secrets - **What:** External secrets management contribution (minimal info) #### 6. hal-ai-agent/openclaw-manager ★0 - **URL:** https://github.com/hal-ai-agent/openclaw-manager - **What:** DigitalOcean provisioning with 1Password secrets #### 7. kryptobaseddev/openclaw-cleo ★5 - **URL:** https://github.com/kryptobaseddev/openclaw-cleo - **What:** Proxmox installer with Doppler secrets integration #### 8. kcalvelli/GenX64 ★0 - **URL:** https://github.com/kcalvelli/GenX64 - **What:** NixOS module with secrets management for OpenClaw agents ### avault Unique Differentiators | Feature | avault | openclaw-secure | oauth3 | gopass-skill | |---------|--------|----------------|--------|-------------| | Encryption | NIP-44 (XChaCha20) | Delegates to backend | TEE enclave | GPG | | Remote signing | NIP-46 (phone as key) | ❌ | Human approval UI | ❌ | | RAM-only secrets | ✅ daemon mode | ❌ (restores to config) | ✅ (in TEE) | ❌ | | Works on $5 VPS | ✅ | ❌ (needs Keychain/1PW) | ❌ (needs TEE) | ✅ | | Third-party deps | None (Nostr relays) | 1Password/Bitwarden/etc | dstack/Phala | GPG | | Self-sovereign | ✅ | ❌ | ❌ | Partially | | Auto-commit vault | ✅ | ❌ | N/A | ✅ (gopass) |

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

kn/unified-owner-model

feat/install-script

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nazim/avault#1

No description provided.