ClawHub
Back to skill
v1.0.0

Edith Senso Knowledge

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This is a coherent Senso.ai knowledge-search skill, but users should know it stores a Senso API key and sends their knowledge-base queries and snippets to Senso.

GuidanceThis skill appears safe for its stated purpose if you trust Senso.ai and want Edith/OpenClaw to search your Senso knowledge base. Before installing, be comfortable storing a Senso API key in OpenClaw memory/config and sending knowledge-base questions and retrieved snippets to Senso's API.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Use the `exec` tool to call the Senso.ai search endpoint: curl -s -X POST "https://sdk.senso.ai/api/v1/search"

The skill instructs the agent to use exec/curl to call an external API. This is central to the stated Senso search purpose, but it is still shell-based tool use that users should recognize.

User impactWhen invoked for document questions, the agent may run a curl command that sends the user's query to Senso.ai.
RecommendationUse this skill only if you expect document questions to be sent to Senso.ai and are comfortable with the agent using exec/curl for that purpose.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
The user must have a Senso.ai API key... Tell OpenClaw: "My Senso API key is sk-..." and store it for future use... as `SENSO_API_KEY`.

The skill requires a third-party API key that grants access to the user's Senso.ai knowledge base. This is expected for the integration, but it is sensitive account access.

User impactAnyone or anything with access to the stored key may be able to use the user's Senso.ai project according to that key's permissions.
RecommendationCreate a minimally scoped Senso API key if possible, rotate it if exposed, and remove it from OpenClaw memory/config if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
The response is JSON with an array of results, each containing relevant text passages and metadata... `"context": "<concatenated search result passages>"`

The skill uses retrieved knowledge-base passages as context for answers and may send concatenated result passages to Senso's generate endpoint. This is purpose-aligned RAG behavior, but retrieved document content can influence spoken output.

User impactPrivate document snippets may be used to generate answers, and the agent may rely on retrieved passages when speaking back to the user.
RecommendationKeep sensitive or untrusted documents out of the Senso knowledge base unless you are comfortable having them retrieved and summarized through this skill.