What I should have told too, was that there is also a token file in place, that needs to get decrypted whenever I clone the repo to new a maschine. The file is encrypted in a way what no, eg. PGPs HMAC, makes the failure of decryption transparent. So there is no possibility to brute force.
To crack the entire thing, an attacks need to correctly guess my token password, which is not distinguishable from a failure. And once the attack got the correct one, crack the vaults password. But this stage is practically impossible to reach.
In public is my vault and the encrypted token file.
What I need to access my identities is the vault, the decrypted token, which has to be private at all costs and of course my password.
Should I be concerned? Should I add something or kill it instantly?
Its quite convinient, not tied to a provider and hopefully save. Yes, its also a big basket of eggs.
Brute force is the one option that is always available to an attacker.
What makes brute force untenable in most instances is the amount of time the attacker may need to wait for brute force to find the decryption key. And that amount of time is dependent upon the algorithms used and the amount of hardware an attacker is willing to devote to the brute force option.
An attacker that does not have access to your vault and token can try neither brute force nor look for cracks in the method you use to encrypt the token that might allow for decryption.
An attacker that does have access to vault and token is given the ability to try brute force and to look for cracks that might allow decrypting the vault.
State 1 (attacker does not have the vault or token) is lower risk than state 2 (attacker has access to the vault and token).
By storing your vault, and this token, in a public repository you have increased your risk. Whether the increased risk means your "locks" will be picked is unknown, but you are more at risk of having them picked than if you did not have your vault and token in a public repository.
Yet. The cost of copying it is negligable, which suggests there's probably someone collecting these from GitHub repos with the intention of cracking them someday.
So sure, you're "fine" for now. Maybe 3 years from now you'll log onto Hacker News and see the Chinese Shor's algorithm accelerator on the frontpage, though.