ClawHub

Kvstore

v1.0.0

In-memory key-value store with TTL for AI agents. Set, get, delete, list, flush, and stats. Supports any JSON value, optional TTL per key, and prefix-based k...

0· 45·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (KV store with TTL) match the included Python code and HTTP endpoints. Required binary (python) and declared pip packages (fastapi, uvicorn, pydantic) are appropriate and proportional to the stated purpose.
Instruction Scope
SKILL.md only instructs starting a local uvicorn server and shows curl examples for the documented endpoints (/v1/set, /v1/get, /v1/keys, /v1/delete, /v1/flush, /v1/stats). There are no instructions to read unrelated files, exfiltrate data, or call external endpoints.
Install Mechanism
Install uses pip to fetch fastapi/uvicorn/pydantic from PyPI (declared in metadata). This is expected for a FastAPI app; pip installs carry the usual supply-chain considerations but are not unusual or disproportionate here.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not attempt to access unrelated secrets or system config.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It runs as a normal local service and maintains only in-memory state (no persistent storage).
Assessment
This skill appears to do exactly what it says: run a local HTTP server providing an in-memory JSON key-value store with TTL. Before installing or running it, consider: (1) network exposure — the SKILL.md starts uvicorn without explicit host, so ensure you bind to localhost or place it behind a firewall/reverse proxy if you don't want external access; there is no authentication, so anyone who can reach the server can read/modify data; (2) data persistence — state is in-memory only and will be lost on restart; (3) package provenance — the install uses pip to fetch FastAPI/uvicorn/pydantic from PyPI, which is normal but subject to normal supply-chain risks; (4) code review — the codebase is small and readable (no hidden endpoints), so review it yourself if you have concerns. Overall the skill is internally consistent and not suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97asn9d0cvjearg51mgphcqxn84rcs2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗄️ Clawdis
Binspython

Install

uv

Comments