VectorClaw
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with local process or Docker visibility during setup could see database passwords, including the container’s MySQL root password.
The setup script supplies both the MySQL root password and the dedicated user password via command-line arguments, which can expose them through process inspection and contradicts the documented secret-handling posture.
docker exec "$CONTAINER_NAME" mysql -u root -p"$MYSQL_ROOT_PASS" -e "..."; VERIFY=$(docker exec "$CONTAINER_NAME" mysql -u "$MYSQL_USER" -p"$MYSQL_PASSWORD" "$DB_NAME" -e "SELECT 1 as connected;"
Do not run setup on shared systems until it uses temporary defaults files or stdin-based credential handling for all mysql invocations and avoids putting secrets in process arguments.
A user or process with access to the container could read the dedicated database username and password after queries run.
The wrapper copies a credentials file into the MyVector container but the cleanup trap only deletes the host temp file, so the copied MySQL credentials remain in the container.
CONTAINER_CREDS_PATH="/tmp/.mysqlclaw_creds.cnf"; docker cp "$CREDS_FILE" "$DOCKER_CONTAINER:${CONTAINER_CREDS_PATH}" ... cleanup_creds() { rm -f "$CREDS_FILE"; }Remove the in-container credentials file with a trap or use a credential-passing method that does not persist secrets inside the container.
A confirmed write could affect tables beyond the intended allowlist if complex SQL is allowed and the database account has access.
The write allowlist parser appears to check only the first table name it extracts. Multi-table UPDATE/DELETE/JOIN statements could involve additional tables if the database user has broader database privileges.
TABLE_NAME=$(echo "$SQL" | grep -oiE "(INTO|UPDATE|FROM|TABLE)\s+([a-zA-Z_][a-zA-Z0-9_]*)" | ... | head -1)
Use table-specific MySQL grants, parse SQL with a real SQL parser, or block multi-table write syntax rather than relying on a first-table regex.
Future pulls of the same tag could run a different database image than the one originally reviewed.
The setup script runs an external container image by mutable tag rather than a pinned digest. This is purpose-aligned for a Docker-backed database, but users should be aware of the external dependency.
ghcr.io/askdba/myvector:mysql8.4
Pin the Docker image by digest and verify the image source before running setup.
Stored memories may reveal personal details or influence future agent behavior if not reviewed and retained carefully.
The skill intentionally stores persistent personal, behavioral, emotional, and agent-learning records. The documentation includes consent and review rules, so this is purpose-aligned, but it is still sensitive memory behavior.
Approved Sources: Direct Discord messages ... Observed interaction patterns ... Agent reasoning ... Review before acting — agent_learnings and rule-like memories must be reviewed before affecting future behavior
Use explicit consent, keep retention limits enabled, review agent_learnings before use, and test deletion/rollback procedures.
Users may not be able to tell from the registry whether the skill needs wallet or purchase authority.
The registry capability signals list wallet, crypto, and purchase-related capabilities, while the provided documentation says the skill has no external APIs, crypto, or wallets. No provided code evidence shows wallet or purchase behavior, but the mismatch is confusing.
Capability signals: crypto; requires-wallet; can-make-purchases; requires-sensitive-credentials
Synchronize registry metadata with the actual skill behavior before publication.