semantic-search
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill’s search and Text-to-SQL purpose is clear, but it ships real-looking internal credentials and relies on unreviewed local project configuration while enabling broad database queries.
Review carefully before installing. Remove and rotate any exposed credentials, run only with scoped read-only database access, pin and audit dependencies, verify all imported local modules, and require SQL review/limits before allowing the agent to query enterprise data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or sharing this package could expose service credentials, and using them could unintentionally connect the agent to internal systems with excessive privilege.
The published artifacts include real-looking internal hosts, usernames, and passwords for database/Nacos services, which is sensitive credential material rather than just a declared integration requirement.
"flight_db": { "host": "192.168.0.221", "user": "admin", "password": "password" } ... "NACOS_CONFIG": { ... "username": "bjsh", "password": "pwd123" }Do not use the included credentials; require the publisher to remove them, rotate any real exposed secrets, and configure only least-privilege read-only credentials through environment variables or a secure secret store.
The skill may load and execute local project code or credentials that were not reviewed as part of this package, making its runtime behavior environment-dependent.
The skill modifies Python import paths and imports a sibling project's config module that is not part of the provided manifest, so behavior can depend on unreviewed local code/configuration.
project_root = current_dir.parent.parent / "semantic_search"
if project_root.exists():
sys.path.insert(0, str(project_root))
from utils.config import CONFIG as PROJECT_CONFIGPackage and declare all required modules explicitly, remove sys.path-based local project imports, and make any external configuration paths opt-in and documented.
If connected with powerful database credentials, the agent could run overly broad or unsafe generated queries and expose sensitive business data.
The visible wrapper invokes generated SQL/data extraction and returns the result and SQL, but does not show read-only enforcement, SQL safety checks, approval prompts, or row-scope controls.
result, sql = await self.data_gen.query2sql(query=request.query, resource_id=resource_id, max_attempts=request.max_attempts, confidence_threshold=request.confidence_threshold)
Use a read-only, least-privilege database account; require review of generated SQL before execution; and enforce SELECT-only, resource allowlists, timeouts, and row limits in code.
Bad or sensitive stored SQL examples could influence future generated SQL or persist information longer than intended.
The Vanna-style retriever can create and persist SQL examples in a vector table for later retrieval, which is purpose-aligned but creates reusable context that can be poisoned or retain sensitive query/SQL examples.
self._ensure_table_exists() ... self.client.create_vector_view(self.table_name, schema) ... self.client.insert_data(table_name=self.table_name, embed_fields=["question"], metadatas=metadata)
Restrict who can add examples, review stored examples, avoid storing sensitive queries, and define retention/cleanup rules for the vector table.