ClawHub

Semantic Cache

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it uses OpenAI and Redis to cache LLM prompts and responses, with operational privacy and deletion cautions.

Install only if you want Redis-backed semantic caching for LLM calls. Use a dedicated Redis database or namespace, avoid caching secrets or regulated data unless your policies allow it, set an appropriate TTL, and treat clear/test commands as destructive because they remove cached Redis data and the search index for this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The clear() command deletes all cache entries matching the prefix and drops the search index without any confirmation, scoping guard, or authorization check. In a shared Redis instance or automation context, accidental or unauthorized invocation can cause denial of service, data loss, and cache poisoning recovery overhead by wiping the semantic cache for all users.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation text is very broad ('cache AI responses,' 'reduce API costs,' 'speed up repeated queries,' 'add semantic caching to any workflow'), which can cause the skill to trigger in many ordinary contexts where the user did not explicitly request Redis-backed semantic caching. In this skill, unintended invocation is more dangerous because activation can lead to external transmission of prompts to OpenAI and storage of user data in Redis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that user questions are embedded with OpenAI and that cache misses are passed through to the LLM, but it does not clearly warn users that their prompts may be transmitted to a third-party provider. This creates a real privacy and data-handling risk, especially if users enter sensitive, proprietary, or regulated information assuming the processing is local or only cached internally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented 'clear' command deletes all cached entries, but the documentation does not warn about the destructive scope of this action. In operational use, a user or agent could invoke it without realizing it is irreversible, causing loss of cached responses, performance degradation, and potential disruption for all consumers sharing the Redis cache.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
On cache miss, the code sends the user's question to OpenAI and later stores the query and model response in Redis, but the flow provides no notice, consent, redaction, or sensitivity filtering. If users submit secrets, personal data, or regulated content, this can create unintended third-party disclosure and persistent storage of sensitive information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The destructive cache-clearing path performs mass deletion immediately, with no confirmation prompt, dry-run mode, or warning to the operator. In scripted or mistaken usage, this increases the chance of accidental service disruption and loss of cached data that may affect availability and cost controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs destructive operations against Redis by deleting all keys matching the cache prefix and dropping the semantic cache index without confirmation or environment scoping. In a shared or misconfigured Redis instance, running this test can erase production cache data and disrupt dependent services, making it an operationally dangerous pattern.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The final cleanup again deletes all matching cache keys and drops the index automatically, which can destroy data after the test completes with no safety guardrails. This is especially risky in the skill context because Redis connection details come from environment variables, so an operator could unintentionally point the script at a real shared cache and lose data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal