Hybrid DB Health

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill is a coherent database health check, but its fallback instructions can print full OpenAI and Pinecone API keys into the agent session.

Before installing, treat this as a local diagnostic tool that runs workspace scripts. Do not use the manual grep command as written unless you are comfortable exposing API keys; prefer a masked presence check instead.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

API keys could be exposed in chat transcripts, logs, or downstream tool context when the agent performs the manual check.

Why it was flagged

This fallback check would print matching .env lines, including full OpenAI and Pinecone API key values, into the agent context or user-visible output.

Skill content

[ -f .env ] && grep -E '^(OPENAI_API_KEY|PINECONE_API_KEY)=' .env

Recommendation

Change the check to only report whether keys are present, mask values, and declare the credential use clearly in metadata and user instructions.

Low

#ASI05: Unexpected Code Execution

What this means

Running the skill may execute local workspace code and make provider-backed connectivity calls.

Why it was flagged

The health check executes local project scripts from the Pulse and RAG directories. This is disclosed and purpose-aligned, but users should know it runs code outside the skill package.

Skill content

python3 openclaw_sync.py --check ... source .venv/bin/activate && python query.py "connectivity test"

Recommendation

Use it only in a trusted workspace and inspect the referenced Pulse/RAG scripts if you need stronger assurance.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may not realize from the registry metadata that the skill depends on local scripts and credential-backed configuration.

Why it was flagged

The declared requirements do not reflect that the documented checks use bash/python, local project scripts, and OpenAI/Pinecone API-key configuration. The behavior is disclosed in SKILL.md, so this is a metadata/documentation gap rather than hidden execution.

Skill content

Required binaries: none; Required env vars: none; Primary credential: none

Recommendation

Update metadata to declare the expected local tools, workspace paths, and credential-backed services.