ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Lancedb Pro Skill

v1.0.0

This skill should be used when working with memory-lancedb-pro, a production-grade long-term memory MCP plugin for OpenClaw AI agents. Use when installing, c...

0· 374·35 current·37 all-time
by@darcy-wang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with a configuration/opt‑in guide for memory-lancedb-pro. It legitimately needs to verify embedding/LLM endpoints and to read/apply OpenClaw config, so most requested actions match the stated purpose. However registry metadata declares no required env vars/credentials while the runtime instructions explicitly require multiple provider API keys (OPENAI_API_KEY, JINA_API_KEY, SILICONFLOW_API_KEY, etc.), which is an inconsistency between declared metadata and actual instructions.
!
Instruction Scope
SKILL.md instructs the agent to collect API keys (option to paste them directly into chat), to locate and read your openclaw.json, build/merge configs, apply them, restart the gateway, and run smoke tests (including curl checks). Asking for secrets in chat and automatic discovery/modification of system config expands the agent's scope beyond read-only guidance and can expose credentials or change system state without explicit user review.
Install Mechanism
This is an instruction-only skill (no install spec, no code files executed). That lowers risk because nothing is downloaded/executed automatically. The README suggests cloning from a GitHub repo, which is a normal install mechanism, but the registry lists no homepage/source verification.
!
Credentials
Although the need for API keys is coherent with configuring embedding/LLM/reranker providers, the skill metadata declared no required env vars while the instructions require several sensitive keys. The skill also invites users to paste keys directly into the conversation, which puts secrets into model context instead of using safer env var configuration; that is disproportionate from a secrecy standpoint and increases exfiltration risk.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). However its workflow explicitly writes/merges to openclaw.json and restarts the gateway — actions that modify system configuration and services. Those privileges are coherent with a config tool but are high-impact; you should expect the skill to have the ability to change persistent system state if you follow its instructions.
Scan Findings in Context
[system-prompt-override] unexpected: A pattern consistent with prompt-injection/system-prompt override was detected in SKILL.md. This is not expected for a purely benign configuration guide; it may be an attempt to influence model/system prompts or to manipulate the agent's behavior during evaluation. Treat as suspicious and inspect the text around the detection before allowing autonomous actions.
What to consider before installing
This skill appears to be a legitimate configuration assistant for memory-lancedb-pro, but it has multiple red flags you should address before using it: 1) Do not paste API keys or other secrets into the chat; instead set them as environment variables in the process and tell the skill they are 'already set as env vars'. 2) Back up your openclaw.json before letting the skill find/merge/write it — review any proposed changes line-by-line. 3) Prefer to run the verification curl commands yourself in a terminal (copy/paste the commands from SKILL.md) rather than allowing the agent to execute them autonomously. 4) Because registry metadata lists no homepage/source, verify the skill's origin (inspect the GitHub repo referenced in README and ensure it is trustworthy) before cloning. 5) The detected prompt-injection pattern is suspicious — do not grant this skill autonomous permissions to modify services or store credentials; run operations manually or in a sandbox first. If you want a safer workflow, run steps locally yourself (backup config, set env vars, run the curl checks, apply changes) and only use the skill for human-readable guidance.
!
references/full-reference.md:201
Prompt-injection style instruction pattern detected.
!
SKILL.md:1356
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f61z8x8x8sykb02k7qwkb9s834bfy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments