knowledge-vault
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent long-term memory/RAG skill, but it stores user-provided knowledge persistently and sends text to external TiDB/Gemini services.
Install this if you want persistent agent memory backed by TiDB Vector and Gemini embeddings. Before using it, confirm that you are comfortable with saved content persisting in a database, text and queries being sent to Gemini for embeddings, and a local DSN file being created if auto-provisioning is used.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information saved through this skill may persist beyond the current conversation and may influence future responses.
The skill is explicitly designed to create persistent long-term memory, so user-provided content may be stored and later retrieved into the agent context.
Store: Ingest documents, notes, and facts as vector embeddings... Remember: Access unlimited historical context
Only store information you want retained, avoid sensitive secrets, and maintain a way to review or delete the TiDB table contents if needed.
Compromise or misuse of these environment variables could allow access to the configured database or API quota.
The skill requires database credentials and a Gemini API key. These credentials are expected for the stated TiDB/Gemini integration, but they are still sensitive.
requires: ... env: ["TIDB_HOST", "TIDB_PORT", "TIDB_USER", "TIDB_PASSWORD", "GEMINI_API_KEY"]
Use least-privilege TiDB credentials, avoid sharing environment variables broadly, and rotate keys if they may have been exposed.
Running the skill without explicit TiDB credentials may create and use an external database instance automatically.
If TiDB credentials are absent, the code calls an external TiDB Zero API using curl to create a temporary database. This is disclosed in SKILL.md and aligned with the fallback provisioning feature.
cmd = ["curl", "-sS", "-X", "POST", api_url, "-H", "content-type: application/json", "-d", "{}"]Configure your own TiDB credentials if you want predictable ownership and retention, and review the local DSN cache if auto-provisioning is used.
Content and queries processed by the skill may be transmitted to Google’s Gemini API for embedding.
Text added to memory and search queries are sent to the Gemini embedding API to generate vectors. This is expected for the stated embedding workflow, but it is an external data flow.
result = client.models.embed_content(model="models/gemini-embedding-001", contents=text)
Do not add secrets or highly sensitive material unless your Gemini API/data handling policies are acceptable for that data.
Dependency behavior may change over time depending on the versions installed in the environment.
The Python dependencies are listed without pinned versions. This is common, but it means future installs may resolve to different package versions.
pymysql google-genai
Pin and review dependency versions in controlled deployments.