Skillv1.0.0

ClawScan security

memory-lancedb-pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 3:26 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (configuring a memory plugin) is plausible, but there are mismatches and risky instructions—most notably it requests and uses API keys without declaring them in metadata and contains prompt-injection indicators—so proceed with caution.
Guidance: This skill appears to be what it says (a config guide for memory-lancedb-pro) but has several red flags you should address before installing or copying secrets into chat: - Never paste live API keys into a public or persistent chat. If the skill asks for keys, prefer setting them as environment variables in your OpenClaw Gateway process (or in a secured secrets store) and answer "already set as env vars." - Backup your openclaw.json and any gateway config before letting the skill modify them. Inspect the exact config changes the skill will apply. - Verify the skill source (GitHub URL and repo owner). The skill metadata lists no homepage and an unknown registry owner; prefer installing only from trusted repos. - Run the provided curl key-check commands yourself on a local terminal (don’t paste keys into the conversation) so verification happens locally and not through chat history. - Inspect SKILL.md / references for any system-prompt overrides or unusual instructions (the scanner flagged system-prompt-override). If you find explicit instructions to change agent/system prompts, remove or review them before use. - If you want to proceed, choose the local Ollama plan (Plan D) when privacy is a priority, or configure keys in the gateway and confirm the skill does not request them in chat. Ask the skill author for a manifest that declares required env vars in metadata so the registry and users can validate proportionality. If you want, I can: (1) extract the exact curl checks and config templates from SKILL.md so you can run/review them locally, or (2) list the config keys the skill intends to add to openclaw.json so you can pre-review the changes.
Findings: [system-prompt-override] unexpected: The regex scanner detected system-prompt-override patterns in SKILL.md / references (e.g., explicit system-prompt strings in LLM client config). While an extraction assistant prompt is legitimate for LLM-based Smart Extraction, patterns that try to override or reassert system prompts deserve review because they can be used to influence agent/system behavior beyond configuration tasks.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match the operations described in SKILL.md: installing/configuring memory-lancedb-pro and wiring embeddings/rerankers/LLMs. Requesting OpenAI/Jina/SiliconFlow/Ollama access is coherent with the described plans. However, the registry metadata declares no required environment variables/primary credential while the runtime instructions explicitly require multiple provider API keys — this mismatch is unexpected.
Instruction Scope: concernSKILL.md instructs the agent to collect API keys (including asking the user to paste them into chat), to locate/read/merge/edit openclaw.json, to apply configuration templates, restart the gateway, and run smoke tests and curl health checks. These actions are within the plausible scope of a config skill but are sensitive: reading/modifying gateway config can expose unrelated secrets, and asking users to paste credentials into a chat context risks exfiltration. The skill also contains a rule to skip asking for keys if they were already stated in context, which could cause it to reuse keys from earlier conversation without explicit recent confirmation.
Install Mechanism: okThis is an instruction-only skill with no install spec and no included code files, which minimizes supply-chain/install risk. The README instructs cloning from GitHub, which is normal; the skill itself doesn't automatically download or execute remote archives.
Credentials: concernThe SKILL.md requires multiple provider credentials across plans (OPENAI_API_KEY, JINA_API_KEY, SILICONFLOW_API_KEY, possibly others) and offers a plan with no keys (local Ollama). Those credentials are relevant to the stated purpose, but the skill metadata declares no required env vars or primary credential — a coherence gap. Also, the skill's guidance to paste keys into chat is a high-risk collection pattern; the safer option (and recommended) is to set keys as process env vars or in the gateway config and let the agent verify them locally.
Persistence & Privilege: okThe skill does not request always:true and has no special OS restrictions. It auto-loads on trigger phrases (documented). It instructs modifying OpenClaw gateway config files and restarting the gateway, which is reasonable for a configuration skill but is a privileged action — users should back up configs and confirm changes. Autonomous invocation is allowed (platform default) but not by itself a red flag.