cairn
ReviewAudited by ClawScan on May 12, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Install if you want a local searchable knowledge base and are comfortable managing what gets indexed. Before using it with agents, set CAIRN_ALLOWED_ROOTS, review each add/refresh action, avoid indexing secrets, and consider separate databases for sensitive material. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you approve the wrong add action, private local directories could be indexed into Cairn's database.
The MCP add path is purpose-aligned, but without the optional allowlist an approved connected agent can ingest any local path the process can read.
CAIRN_ALLOWED_ROOTS unset — connected agents can ingest any local path. Set CAIRN_ALLOWED_ROOTS=/comma/separated/abs/paths to confine ingestion.
Set CAIRN_ALLOWED_ROOTS to the specific folders you intend to index, keep ingest size caps enabled, and review MCP add/refresh calls before approving them.
Indexed content can remain available to future searches and connected agents, including material you may not want reused across tasks.
The index stores text chunks from ingested sources in a persistent SQLite database, making selected content retrievable later.
CREATE TABLE IF NOT EXISTS chunks (... content TEXT NOT NULL, start_line INTEGER NOT NULL, end_line INTEGER NOT NULL)
Only index content you intend to keep searchable, avoid indexing secrets, and use separate database paths for sensitive projects.
Any trusted/approved MCP client can retrieve indexed content and add new sources.
The MCP boundary is explicitly delegated to the host: connected and approved agents can read from and add to the local knowledge base.
"mcp_access": "When invoked, MCP gives the connected agent read + ingest access — that's what MCP is. The host ... controls which agents connect ... gates each call"
Connect Cairn only to MCP hosts and agents you trust, keep per-call approval enabled, and isolate sensitive indexes with separate dbPath values.
Installation or first embedded-runtime use may pull native code or large model files from external sources.
Native packages and optional model downloads are disclosed and aligned with the indexing/embedding purpose, but they are still a supply-chain surface.
Native deps build on install (better-sqlite3, sqlite-vec, three tree-sitter grammars). ... CAIRN_RUNTIME=embedded ... auto-downloads GGUFs to ~/.cairn/models on first use
Use the bundled or pinned package from the declared source, verify provenance/checksums where possible, and set CAIRN_OFFLINE with pre-cached models for stricter environments.