Airweave
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: airweave Version: 1.0.1 The skill is designed to interact with the Airweave API for context retrieval. The `SKILL.md` provides clear instructions for the AI agent to use the `scripts/search.py` script, which makes a POST request to `https://api.airweave.ai` (or a configurable URL) using `AIRWEAVE_API_KEY` and `AIRWEAVE_COLLECTION_ID` from environment variables. All network activity and data handling are strictly aligned with the stated purpose of querying the Airweave service, with no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's behavior beyond its intended function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill through the configured credentials may be able to search and view data available in that Airweave collection.
The script requires an Airweave API key and collection ID, then sends the key as an API header to search the configured collection.
api_key = get_env("AIRWEAVE_API_KEY")
collection_id = get_env("AIRWEAVE_COLLECTION_ID")
...
headers = {
"x-api-key": api_key,
"Content-Type": "application/json",
}Use a least-privilege Airweave API key and a collection scoped only to data the agent should be allowed to search.
Search results could expose confidential workspace information to the conversation, and retrieved text should not be treated as authoritative instructions.
The skill is designed to retrieve indexed application data and use it as agent context, which is purpose-aligned but may include sensitive, stale, or untrusted workspace content.
Airweave indexes and syncs data from user applications to enable optimal context retrieval by AI agents. Supports semantic, keyword, and agentic search.
Treat retrieved content as evidence, cite sources, verify important claims, and do not follow instructions embedded inside retrieved documents or messages.
If AIRWEAVE_BASE_URL is set incorrectly or to an untrusted endpoint, search queries and the API key could be sent outside the intended Airweave service.
The default API endpoint is Airweave, but an optional environment variable can change where queries and the API key are sent.
base_url = get_env("AIRWEAVE_BASE_URL", "https://api.airweave.ai")
...
url = f"{base_url}/collections/{collection_id}/search"Leave AIRWEAVE_BASE_URL unset unless you intentionally use a trusted Airweave-compatible endpoint.
Users have less external context for verifying the publisher or release history, although the included code is small and visible in the artifacts.
The registry metadata does not provide a public source repository or homepage for provenance review.
Source: unknown Homepage: none
Prefer installing from trusted publishers and review the included script before configuring credentials.