Back to skill

Security audit

Langcache Semantic Caching for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate remote semantic cache, but it needs Review because it can store prompts externally, bypass its sensitive-data caching guard, and wipe cache data without strong guardrails.

Install only if you trust the LangCache service and intend to send cacheable prompts/responses to it. Do not cache secrets, personal data, regulated content, or confidential business data unless you have explicit approval and controls. Treat --force, delete, and flush-force as admin-only operations, use scoped API credentials, and review retention/deletion behavior before enabling this in an agent workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares powerful capabilities via tools and documented shell/network usage, but does not explicitly communicate or constrain those permissions. This increases the risk that a user or downstream agent invokes networked cache operations and accesses environment-backed secrets without informed consent or clear trust boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior extends beyond the stated purpose of simple cache integration by including destructive cache management and, per the finding, additional force-store and direct API behaviors not disclosed in the skill description. Description-behavior mismatch is dangerous because users and orchestrators may authorize the skill under false assumptions, enabling unintended data deletion, policy bypass, or broader external data handling.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file asserts that sensitive-content caching is hard-blocked and enforced at the code level, but only documentation and regex examples are shown here. If users rely on undocumented enforcement that is absent or bypassable, sensitive prompts, credentials, or personal data could be transmitted to and stored in the external cache service despite the stated safety policy.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example labels prompts containing temporal, credential, identifier, and personal data as 'blocked', but the implementation only blocks them from being cached and still forwards them to the external LLM. This can mislead integrators into believing sensitive inputs are fully prevented from leaving the system, causing accidental disclosure of secrets and personal data to third-party services.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose is semantic caching, but it also exposes destructive administration operations such as delete, flush, and flush-force. In an agent context, this broadens the blast radius from cache lookup/storage into bulk data destruction, which can be triggered accidentally or through prompt/tool misuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims blocked content 'NEVER get cached,' yet cmd_store allows storing blocked prompts/responses when --force is supplied. This undermines the safety guarantee and permits caching of credentials, identifiers, and personal context, creating confidentiality and privacy risk if an agent or caller uses the bypass.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages storing prompts and responses in a managed external service but does not prominently warn that user content is transmitted off-system and retained remotely. This omission can lead to accidental disclosure of confidential, regulated, or personal information through normal use of the skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Delete and flush operations are destructive administrative actions, yet the documentation presents them as ordinary commands without strong warnings, confirmation requirements, or rollback guidance. In an agent context, this increases the chance of accidental or unauthorized cache erasure, causing loss of service value, auditability, and potentially shared operational data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code sends user prompts and optional system prompts to an external provider without any explicit consent, warning, or call-site indication that sensitive content may leave the local environment. In a caching/privacy-focused skill, that omission is more dangerous because users may assume the safety controls prevent external disclosure rather than only affecting cache storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly encourages storing raw prompts and LLM responses, which can easily contain secrets, personal data, internal business information, or regulated content. In a semantic caching skill, this is especially risky because users may enable caching broadly to reduce cost and latency without realizing their prompts and outputs are being transmitted to and retained by an external cache service.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The search API accepts a full prompt for semantic matching, but the documentation does not warn that this prompt is transmitted to the remote service for processing. Even without storing a new entry, users may submit sensitive prompts during lookup, creating confidentiality risk through network transmission and service-side handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance explicitly recommends placing a user ID into cache attributes for personalized responses, but it does not warn about privacy, minimization, retention, or access-control implications. Even if attributes are only used for partitioning, user identifiers in cache metadata can create unnecessary exposure of personal data, increase compliance risk, and make cross-tenant or unauthorized data access more damaging if the cache is misconfigured or logged.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The flush-force command deletes the entire cache without any confirmation or guardrails. In an agent-integrated setting, this enables accidental or induced destructive actions that can wipe shared cached data and degrade availability or cause operational loss.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
fi
}

# Force flush without confirmation (for scripts)
cmd_flush_force() {
    api_request POST "/flush"
}
Confidence
87% confidence
Finding
without confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
check <text>        Check if text would be blocked by policy

  flush               Clear entire cache (with confirmation)
  flush-force         Clear entire cache (no confirmation, for scripts)

Caching Policy (enforced automatically):
  CACHEABLE:
Confidence
74% confidence
Finding
no confirmation

Tool Parameter Abuse

High
Category
Tool Misuse
Content
if [[ -n "$entry_id" ]]; then
        # Delete by ID
        api_request DELETE "/entries/${entry_id}"
    elif [[ ${#attrs_args[@]} -gt 0 ]]; then
        # Delete by attributes
        local attrs
Confidence
89% confidence
Finding
DELETE "/entries/${entry_id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
attrs=$(parse_attributes "${attrs_args[@]}")
        local json
        json=$(jq -n --argjson a "$attrs" '{attributes: $a}')
        api_request DELETE "/entries" "$json"
    else
        echo "Error: Delete requires --id or --attr" >&2
        echo "Usage: langcache.sh delete --id <entry-id>" >&2
Confidence
90% confidence
Finding
DELETE "/entries

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.