ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Langchain Skill

v1.0.2

Python skill using LangChain to manage conversation memory and chains, enabling context-aware, concise Vietnamese replies with customizable prompts.

0· 181·0 current·1 all-time
by@s0nocean
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise full LangChain functionality (memory, RAG on PDFs, tool-calling, agent routing) but the included code (one function returning a formatted string) implements none of that. The skill also declares no required environment variables or install steps despite SKILL.md listing Python packages and API keys as prerequisites. This is an incoherence between claimed capabilities and actual footprint.
Instruction Scope
SKILL.md describes actions that would require reading uploaded files, calling web search/calculator tools, and contacting external LLM providers. The instructions are high-level and vague (e.g., 'tool calling', 'read file', 'set API key in code'), leaving broad discretion about what the agent will access or transmit. The current implementation does not perform those actions, but the README suggests the agent could if implemented.
Install Mechanism
There is no install spec (instruction-only). That lowers immediate risk because nothing is auto-downloaded or written to disk. SKILL.md does list required Python packages which users must install themselves; no automated or networked installer is included.
!
Credentials
Registry metadata lists no required env vars, yet SKILL.md mentions needing API keys for Gemini/DeepSeek/Groq and even says keys may be 'set in code if needed'. Asking authors/users to embed API keys in code is a red flag and the lack of declared env variables is inconsistent with the documented requirements.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system-wide privileges, and contains no install-time scripts. There is no evidence it modifies other skills or agent config.
What to consider before installing
This package looks like a placeholder/template rather than a working LangChain integration. Before installing or using it: (1) ask the author for the real source or a changelog explaining why the feature list differs from the code; (2) never paste API keys into the code — require env vars or a secure secret store; (3) if you test it, run in an isolated environment because the SKILL.md indicates it could be extended to read files and call external APIs; (4) prefer a release from a known source or ask for a full implementation and security notes. Because of the mismatch between claims and code, treat this as untrusted until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk973rv2ret9rsxs1bzxtskzbpn8332rz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments