Wolfram Alpha (LLM API)

ReviewAudited by ClawScan on May 10, 2026.

Overview

This Wolfram Alpha skill is mostly purpose-aligned, but its optional query-string authentication can expose your AppID in error output, and it caches API results locally.

Before installing, make sure you are comfortable sending computation queries to Wolfram|Alpha. Use the default bearer authentication, do not include secrets in queries, disable the cache for sensitive requests, and consider fixing the script so it never prints an AppID-containing URL.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Queries, and any sensitive details included in them, may be sent to Wolfram|Alpha when the agent uses the skill.

Why it was flagged

The skill intentionally gives the agent a command-line wrapper that sends user-provided query text to Wolfram|Alpha. This is expected for the stated purpose, but it is still an external tool invocation.

Skill content

Use the bundled wrapper script to call Wolfram|Alpha's **LLM API** ... python3 skills/wolfram-alpha-llm/scripts/wa_llm.py --input "solve x^2 + 3x + 2 = 0"

Recommendation

Use it for computation and lookup queries you are comfortable sending to Wolfram|Alpha; avoid putting secrets or unnecessary personal data in the input.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If query-string authentication is used and a request fails, your Wolfram AppID could be revealed to anyone or anything that can read the agent's error output.

Why it was flagged

When '--auth query' is used, the Wolfram AppID is embedded in the URL; on HTTP errors, the script prints that full URL to stderr, which can expose the AppID in logs or transcripts.

Skill content

if args.auth == "query": params.insert(0, ("appid", appid)) ... print(f"\n\n[wa_llm] HTTP {status} for URL: {url}", file=sys.stderr)

Recommendation

Keep the default '--auth bearer' mode, avoid '--auth query' unless necessary, and patch the script to redact appid values or avoid printing full URLs on errors.

Low

#ASI06: Memory and Context Poisoning

What this means

Sensitive results returned by Wolfram|Alpha may remain on disk in the local cache until they expire or are deleted.

Why it was flagged

The skill discloses a local cache that persists API result bodies for up to seven days, so returned content may be reused later.

Skill content

default `--cache on` with `--cache-ttl 604800` (7d) - stores best-effort results in: `~/.cache/openclaw-wolfram-alpha/`

Recommendation

Use '--cache off' for sensitive queries and clear '~/.cache/openclaw-wolfram-alpha/' if cached results should not persist.