surrealfs
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about providing a SurrealDB-backed virtual filesystem, but it includes a host-command pipe feature and external runtime packages that deserve review before use.
Install only if you trust the Cargo/PyPI packages and have reviewed their provenance. Use a dedicated SurrealDB database/user, keep the HTTP server local, disable or audit telemetry for sensitive work, and avoid or sandbox pipe commands unless you explicitly approve each use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If exposed to untrusted prompts or inputs, the agent could be induced to run host commands through the pipe feature.
The skill documents a virtual-filesystem feature that can execute host commands. In an AI-agent context, that is broader than isolated virtual file operations and needs explicit containment.
**Pipe commands**: The Rust core supports `curl URL > /path` syntax for content ingress. This executes the pipe source command on the host.
Do not expose pipe commands to autonomous or untrusted agents by default; require explicit user approval, allowlist commands/URLs, and run the tool in a container or sandbox.
The installed packages could contain behavior not visible in this review.
The runnable implementation comes from external package registries, while the supplied artifact set contains only SKILL.md and no reviewed code or lockfile.
cargo install surrealfs ... pip install surrealfs-ai
Verify the package owners, source repository, versions, and hashes before installing; pin known-good versions where possible.
Over-privileged database credentials could let the agent read or modify more SurrealDB data than intended.
Remote SurrealDB access uses credentials. This is purpose-aligned and the skill advises least privilege, but it is sensitive authority and is not reflected in the registry-level credential declarations.
SURREAL_USER ... sensitive: true ... SURREAL_PASS ... sensitive: true
Use dedicated least-privilege SurrealDB users scoped to one namespace/database, and avoid root credentials outside a local test environment.
Stored files or instructions may influence later agent sessions or be visible to other agents sharing the database.
The skill is designed to retain and reuse content across sessions and potentially across agents, which is useful but can also preserve sensitive or untrusted data.
persistent, queryable virtual filesystem backed by SurrealDB ... content search across sessions ... Multi-agent shared file access
Separate projects into distinct namespaces/databases, periodically review stored content, and avoid storing secrets or untrusted instructions unless you have cleanup and access controls.
If telemetry is enabled or the HTTP service is exposed beyond localhost, operational data or agent tools may be reachable outside the intended local environment.
The Python agent introduces HTTP and telemetry/provider data flows. The defaults and opt-out guidance are disclosed, but users must preserve those boundaries.
Telemetry via Pydantic Logfire (OpenTelemetry) ... HTTP hosting (default port 7932, bound to 127.0.0.1)
Keep the HTTP server bound to localhost unless protected by authentication and TLS, and disable or audit telemetry before processing sensitive data.