Launchthatbot Convex Backend
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it advertises—store agent secrets, memory, and logs in the user’s Convex backend—but that intentionally gives the agent sensitive cloud persistence and Convex credential access.
Install this only if you want the agent to manage secrets, memory, and logs in your own Convex project. Before first use, confirm the Convex deployment target, review any .env keys before migration, keep CONVEX_DEPLOY_KEY local and private, and avoid sharing one backend among agents that should not see each other’s data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can store and retrieve sensitive service keys in the user’s Convex project, so a wrong deployment target or shared credential could expose secrets.
The skill may migrate local .env secrets into Convex environment variables. This is aligned with the stated secret-storage purpose, but it is broad credential handling.
Phase A (non-destructive): copy keys to Convex with `envSet` and verify with `envList` / `envGet`; exclude `CONVEX_DEPLOY_KEY` and `CONVEX_DEPLOYMENT` from migration
Use a dedicated Convex project, verify the deployment target before writes, review which keys will be migrated, and avoid sharing the deploy key with untrusted agents.
Work details may be retained in Convex across sessions and reused later by the agent.
The skill instructs the agent to persist session summaries in Convex. This is the advertised function, but persisted memory/logs can contain sensitive context if the agent summarizes too much.
Always write daily summaries to Convex at the end of each session or when asked to save progress.
Set clear rules for what may be saved, avoid putting raw credentials or sensitive personal data in logs, and periodically review or delete stored memories.
A future package change or npm supply-chain issue could affect what runs during setup.
The setup uses an unpinned latest npm package via npx. This is common for MCP setup and is user-directed, but it relies on the current npm package at execution time.
npx -y convex@latest mcp start
Pin known-good versions of Convex and mcporter where possible, and run setup commands only from trusted environments.
Agents sharing the same Convex/MCP access may be able to read or write memory for other agent IDs if not otherwise restricted.
Memory and log separation is based on a caller-supplied agentId. The included functions do not show per-agent authorization checks, so shared deployments should be treated as trusted shared storage.
args: { agentId: v.string(), ... } ... q.eq("agentId", args.agentId)Use separate Convex projects or credentials for untrusted agents, or add explicit authorization checks before using this as a multi-tenant backend.