Vaultamagic

Security & trust

Vaultamagic is a script generator. The website never connects to CyberArk, never sees a credential, and never receives any of your data. Here's exactly what that means.

Security review (PDF)

A 4-page review of the web page and the generated script: trust model, the exact CyberArk API calls, secret handling, and residual risks.

Download the review →

What the website does — and doesn't

  • No backend, nothing transmittedThe page is static HTML and JavaScript. Your inputs stay in the browser tab; close it and nothing persists or is sent anywhere.
  • No credentials in the browserThe generated script collects credentials at runtime via Get-Credential — never through this page.
  • Readable outputIt produces plain PowerShell you can review line by line before running. No obfuscation, no compiled binary.
  • You stay in controlYou run the script, with your account, on your machine. It can only do what you're already authorized to do.

What the script does to your vault

Read-only. Only GET requests, plus CyberArk's own read-a-secret call. No writes.

Logon & logoff

Authenticates with your credentials and logs off when finished. The session token stays in the local PowerShell session.

List Safes, members, accounts

Paginated GET calls to enumerate Safes, the permission matrix, and accounts you're authorized to see.

List applications

GET calls to the AAM application endpoints, cross-referenced against Safe membership for access mapping.

Retrieve a secret (optional)

Only if you opt in. Sends your reason, is audited by CyberArk, and never happens silently.

Handling secrets & transport

Vaultamagic is an inventory aid for migration. Always follow your organization's policies for credential handling and least privilege, and prefer running it from a trusted, managed endpoint.

Read the script, then run it

Generate it, review the PowerShell, and you'll see there's nothing up our sleeve.

Open the generator →