ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LanceDB Hybrid Search Memory Plugin

v1.2.1

LanceDB long-term memory plugin with BM25 + vector hybrid search (RRF or linear reranking).

2· 2.3k·16 current·16 all-time
by@joeykrug
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, code, and package.json consistently implement a LanceDB memory plugin with hybrid BM25+vector search and OpenAI embeddings. Declared dependencies (@lancedb/lancedb, openai, typebox) are appropriate for the stated functionality.
Instruction Scope
Runtime instructions ask the user to install the plugin into the workspace, run npm install in the plugin folder, update OpenClaw's plugins.load.paths to point at the plugin (the plugin intentionally keeps id "memory-lancedb" and will override the bundled implementation), and restart the gateway. The plugin will create/modify a DB under ~/.openclaw/memory/lancedb and attempt to create an FTS index. These actions are consistent with a memory plugin but overriding the bundled plugin is a significant change the user must intentionally accept.
Install Mechanism
No automated install spec in registry (instruction-only), but SKILL.md directs a manual npm install in the plugin directory. That will fetch packages from the public npm registry (package-lock.json present). Manual install reduces platform-level risk, but running npm install pulls native optional packages for LanceDB; review network activity and postinstall scripts before running.
!
Credentials
Registry metadata lists no required env vars, but the plugin requires an embedding API key via config (commonly ${OPENAI_API_KEY}) and resolves referenced env vars at runtime. Requesting an OpenAI API key is proportional to the stated purpose, but the skill metadata does not declare this required credential — the mismatch is a transparency concern.
Persistence & Privilege
always is false and the skill is user-invocable (normal). However, the plugin is designed to override the built-in memory-lancedb by keeping the same extension id and asking the user to add the plugin path to OpenClaw's load paths. This is an intentional, powerful behavior: it can replace the bundled memory implementation and should be installed only when you trust the code.
Scan Findings in Context
[imports-@lancedb/lancedb] expected: The plugin imports and lazy-loads @lancedb/lancedb; this is expected for a LanceDB-backed memory plugin.
[uses-process.env-resolveEnvVars] expected: The config parser resolves ${ENV_VAR} placeholders (used for embedding.apiKey and baseUrl). This is expected, but it means runtime failure or secrets use depends on environment variables.
[depends-on-openai-package] expected: openai client is declared as a dependency and likely used to generate embeddings; this is required for the plugin to compute vectors.
What to consider before installing
This plugin appears to implement the claimed hybrid LanceDB memory functionality, but proceed with caution: 1) The registry metadata does not declare required environment credentials, yet the plugin requires an OpenAI embedding API key via its config (e.g. ${OPENAI_API_KEY}). Expect to provide that key. 2) Installing requires running npm install in the plugin folder — review package.json/package-lock.json and be aware npm will fetch native optional packages for LanceDB. 3) The plugin intentionally overrides the bundled memory plugin by keeping the id "memory-lancedb"; this replaces the built-in implementation when you add the plugin path. Back up your OpenClaw config and existing memory DB (~/.openclaw/memory/lancedb) before enabling. 4) If you don't trust the source (no homepage or upstream repo provided), consider running it in a disposable/test environment, manually review the full index.ts (to ensure no hidden network endpoints or unexpected behavior beyond what's shown), or prefer a plugin from a known upstream. If you install, ensure the OpenAI key you supply has appropriate billing/permissions and rotate it if you later remove the plugin.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dp61q28kr3079kxywh57w982k6hq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments