Langcache Semantic Caching for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Redis LangCache purpose, but it needs review because it can persist prompts and responses externally and includes bypass/destructive commands that are not fully scoped in the main instructions.

Install only if you are comfortable sending selected prompts and responses to Redis LangCache. Use a least-privileged API key, avoid caching secrets, PII, regulated data, or time-sensitive content, do not use --force unless you have reviewed the exact data, and reserve delete, flush, and flush-force for explicit operator-controlled maintenance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares powerful tools (Read, Bash, WebFetch) and instructs use of environment variables, shell scripts, and a managed external service, but the metadata does not clearly declare the effective permissions/capabilities. This creates a trust and review gap: operators may enable the skill without realizing it can access secrets, execute shell commands, and transmit data over the network.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill encourages sending prompts and responses to Redis LangCache, an external managed service, but does not prominently warn that user data may be transmitted off-host and stored remotely. Because prompts and responses can contain sensitive, regulated, or user-specific information, this omission can lead to unintended disclosure, retention, and compliance/privacy violations even if the cache has some blocking heuristics.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This code sends user prompts to two external services, LangCache and OpenAI, and authenticates using API keys from environment variables, but provides no user-facing consent, notice, or data-classification safeguards. In an agent setting, prompts may contain sensitive or regulated data, so silent third-party transmission increases privacy and compliance risk even though the behavior is not overtly malicious.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly encourages storing raw prompts, responses, and attributes such as user_id, which can contain sensitive personal, proprietary, or regulated data. In a semantic caching product, this is especially risky because cached LLM traffic often includes user queries and generated content; without warnings on minimization, redaction, retention, or access controls, operators may unintentionally persist sensitive data.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The bulk-delete endpoint can remove multiple cache entries based on attributes, but the documentation does not prominently warn about the potentially broad and irreversible scope of the operation. In this skill context, attributes are suggested for partitioning by user/model/context, so an imprecise filter could delete large portions of cache data and cause availability loss or accidental cross-tenant impact.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The guidance explicitly recommends partitioning cached personalized responses by user ID, but it does not warn about privacy, retention, consent, access control, or the risk of storing sensitive user-specific prompts/responses in a shared cache backend. In a semantic caching system, personalized content can include sensitive data, so omission of these safeguards can lead to privacy leaks or inappropriate retention even if the example is technically functional.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script exposes a `flush-force` command that deletes the entire cache without any confirmation or safety interlock. In an agent skill context, this increases the risk of accidental or prompt-induced destructive actions that can wipe shared state and disrupt service availability.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: fi } # Force flush without confirmation (for scripts) cmd_flush_force() { api_request POST "/flush" }
Confidence: 90% confidence
Finding: without confirmation

Tool Parameter Abuse

High

Category: Tool Misuse
Content: if [[ -n "$entry_id" ]]; then # Delete by ID api_request DELETE "/entries/${entry_id}" elif [[ ${#attrs_args[@]} -gt 0 ]]; then # Delete by attributes local attrs
Confidence: 74% confidence
Finding: DELETE "/entries/${entry_id}

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal