librarian companion

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a disclosed local book-search companion, but it depends on a separate Librarian install and runs local search code over your indexed book library.

Before installing, make sure you intentionally use the Librarian project in the expected local location and trust that code. Be aware that searches can place excerpts from your indexed books into the agent conversation.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The behavior and safety of searches also depend on the local Librarian project and its dependencies, not only this skill package.

Why it was flagged

The skill is a companion that relies on a separately installed parent project and unpinned Python dependencies; this is disclosed and purpose-aligned, but the parent engine code is outside this package.

Skill content

requires:
  - librarian (parent project)
  - python3 (>=3.11)
dependencies:
  python:
    - sentence-transformers
    - torch
    - faiss-cpu

Recommendation

Install the parent Librarian project only from a trusted source, review its setup, and consider pinning dependencies where practical.

Low

#ASI05: Unexpected Code Execution

What this means

When the skill is invoked, it can run the local Librarian search script with the query and selected scope.

Why it was flagged

The shell wrapper builds and executes a local command to run the Librarian research script. Arguments are shell-quoted first, and command execution is central to the skill's purpose, but it is still local code execution.

Skill content

printf '%q ' "${cmd[@]}"
...
if ! eval "$cmd" 2>/dev/null > "$tmp_json"; then

Recommendation

Use this only with a trusted local Librarian installation, and prefer the non-shell Python wrapper or direct array execution if modifying the wrapper.

Low

#ASI06: Memory and Context Poisoning

What this means

Private or sensitive book excerpts from the indexed library may be shown to the agent and included in responses.

Why it was flagged

The wrapper retrieves search results from a local Librarian directory and prints excerpt text into the agent response, placing local library content into the conversation.

Skill content

LIBRARIAN_PATH = Path.home() / "Documents" / "librarian"
...
text = result.get("text", "")
...
print(f"\n> {text}\n")

Recommendation

Index only books you are comfortable querying through the agent, and treat retrieved excerpts as citations rather than instructions to follow.