Memory,truly yours.

Zero plaintext in the cloud, available across devices, decrypted only by you.

Send this to your AI agent to install automatically

>read https://membox.cloud/skill.md

Active session

Encrypted transport layer

Awaiting sign-in

Memory chunks

wrapped before upload

Recovery keys

derived locally

Server posture

metadata + ciphertext

$openclaw membox status

identity: linked after you sign in

browser: current web session can be resumed

vault: readable only after local decryption

relay: ciphertext and minimal metadata only

Every memory block is encrypted and wrapped before upload, so the server never handles plaintext.

Each device has its own identity and must be approved or recovered before it can join sync.

Trusted-device approval, recovery codes, and recovery bundles work together instead of relying on a single weak link.

1. Prove identity

GitHub, Google, or email confirms who you are, but does not directly unlock decryption.

2. Trust the device

A new machine still needs approval from a trusted device or your saved recovery material.

3. Sync ciphertext

The OpenClaw plugin handles encrypted object upload and download while the web app manages account state.

Your memories remain yours alone. The system is designed so even the server operator cannot read your data.

Passphrase never enters AI chat or the network

Server stores ciphertext and minimal metadata only

Encryption flows stay inspectable and verifiable

$openclaw membox setup

✓ sign-in only proves identity

✓ the same browser session can be resumed

✓ vault keys are generated and kept locally

✓ the relay only sees ciphertext and index metadata

Key ladder

passphrase -> user recovery key -> account master key -> data encryption keys

The web app manages the account. Device pairing and encrypted sync can continue only after the OpenClaw runtime has actually loaded the Membox tools.

Plugin$ openclaw plugins install @membox-cloud/membox

Skill$ clawhub install membox-cloud-sync