ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HeteroMind - Unified Knowledge QA

v0.3.0

Unified heterogeneous knowledge QA system. Automatically routes natural language queries to SQL databases, Knowledge Graphs, or table files using 4-layer det...

0· 22·0 current·0 all-time
byYongrui Chen@bahuia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The functionality (NL→SQL/NL→SPARQL/TableQA, multi-LLM support) justifies requesting LLM API keys and optional DB connection strings; however the registry metadata claims no required environment variables or credentials while SKILL.md lists required_env_vars (DEEPSEEK_API_KEY, OPENAI_API_KEY) and optional connection strings. This mismatch between metadata and the runtime instructions/code is an incoherence that should be resolved before trusting the package.
Instruction Scope
SKILL.md instructs the agent to use LLM API keys, to connect to SQL/PG/MySQL endpoints and optional custom KG endpoints, and to read explicitly-specified table files. That behavior is in-scope for a heterogeneous QA engine. Two things to flag: (1) default config enables detailed logging (log_layer_outputs, log_verification_details) which may record intermediate query text / schema / results (potentially sensitive), and (2) per-call API key/endpoint overrides permit the skill to be directed to use arbitrary keys/endpoints at runtime. SKILL.md does not instruct reading unrelated system files or exfiltrating data to hidden endpoints.
Install Mechanism
No install spec (instruction-only) is present, and the package includes code and a plain requirements.txt referencing common PyPI packages (openai, pandas, sqlalchemy, rdflib, etc.). There are no downloads from arbitrary URLs or extract/install steps in the provided metadata. Nothing in the install footprint indicates hidden remote installers or unusual persistence.
!
Credentials
The environment variables referenced in SKILL.md (DEEPSEEK_API_KEY, OPENAI_API_KEY, MYSQL_CONNECTION_STRING, POSTGRES_CONNECTION_STRING, CUSTOM_KG_ENDPOINT, TABLE_PATHS) are plausible for the stated purpose. The concern is the mismatch: registry metadata declared no required env vars while SKILL.md marks two API keys as required and several sensitive optional values. That mismatch can lead to surprise credential prompts. Also, the skill can be configured to query databases and read files — supply only least-privilege credentials and explicit table paths.
Persistence & Privilege
The skill does not request 'always: true' and does not declare modifications to other skills or system-wide configuration. SKILL.md and config default to auto_execute=false and require_confirmation=true for safety, which is appropriate for a tool that runs queries against user data.
What to consider before installing
Do not install or supply credentials until the metadata mismatch is resolved. Specific steps to consider before enabling this skill: 1) Ask the publisher/registry why registry metadata lists no required env vars while SKILL.md requires DEEPSEEK_API_KEY and OPENAI_API_KEY. 2) If you proceed, provide only least-privilege credentials (read-only DB users, scoped API keys) and explicit table paths rather than wildcard/mounted workspaces. 3) Keep auto_execute disabled and require confirmation; review and test generated queries in a safe/non-production database. 4) Be aware logging/debug options can capture intermediate queries/results—disable verbose logging if data sensitivity is a concern. 5) Inspect SECURITY.md and source files (especially src/utils/api_security.py and any logging code) for how secrets and outputs are handled. 6) Consider running the package in an isolated environment first (no production credentials) to verify behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975dh1s52g8p0rq1v1svgg7bd84qndz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments