Concierge Sdk
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only SDK guide is coherent and purpose-aligned, but users should review the optional package install, telemetry token, and state-storage features before use.
This skill appears safe to use as documentation for the Concierge SDK. Before installing or building with it, use a controlled Python environment, review the external package and optional extras, and only configure telemetry or PostgreSQL state credentials when they are necessary.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package may add external code and dependencies to the user's Python environment.
The skill instructs users to install an unpinned third-party PyPI package and optional extras. This is central to the SDK purpose, but it means the runtime code comes from outside the reviewed instruction-only artifact.
pip install concierge-sdk ... pip install concierge-sdk[all] pip install concierge-sdk[postgres]
Use a virtual environment, install from the expected PyPI/source location, and consider pinning or reviewing the package version before using it in sensitive projects.
If configured, database credentials or telemetry tokens could grant access to project infrastructure or analytics services.
The skill discloses optional connection-string and telemetry-token configuration. These credentials are purpose-aligned, but they are sensitive values and the registry metadata lists no env var declarations.
CONCIERGE_STATE_URL: (optional) PostgreSQL connection string ... CONCIERGE_AUTH_TOKEN: (optional) Auth token for telemetry.
Only provide these variables when needed, scope credentials narrowly, and avoid exposing them in logs, prompts, shared files, or public repositories.
Applications built with this SDK may store user or workflow data in memory or a configured database.
The SDK supports shared state and the example stores an email address. The artifact says state is session-scoped, and PostgreSQL is optional for distributed deployments, so this is expected functionality but can involve sensitive data retention.
Pass data between steps without round-tripping through the LLM. State is session-scoped and isolated per conversation:
...
app.set_state("user_email", "user@example.com")Define what data may be stored in state, avoid unnecessary sensitive values, set retention controls for persistent backends, and sanitize state before reusing it across workflows.