Skillv1.0.0

ClawScan security

semantic-search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 9:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (semantic search against a FlightSQL-backed vector DB), but there are several implementation choices that could expose unexpected local configuration or external network calls; review before installing and run in an isolated environment.
Guidance: This package appears to implement the advertised semantic-search functionality, but review carefully before installing: - Expect to provide FlightSQL credentials; the skill will connect to your DB and run queries (Text-to-SQL may execute SELECTs). Provide a least-privilege DB account and limit network access. - The code attempts to import project-level configs (utils.config) by adding parent paths to sys.path. That means the skill can pick up and use configuration files or credentials present in the surrounding environment — run it in an isolated container / sandbox to avoid accidental use of host secrets. - The docs reference many optional external services (LLM endpoints, embedding/rerank services, internal IPs). If you supply LLM/embedding API keys or allow network egress, the skill will make outbound requests; audit those endpoints and restrict egress where appropriate. - Dependencies are extensive and pull third-party libraries. Pin and audit dependency versions, and install in an isolated virtualenv or container. - There are small inconsistencies (missing test module referenced in docs). Consider doing a quick code review of the text2sql and retriever modules and a dry-run in a non-production environment to confirm which external endpoints are actually called. If you need this skill in production: run it with network egress controls, a restricted DB user, and with LLM/embedding credentials limited to test models/services until reviewed.

Review Dimensions

Purpose & Capability: noteThe skill name/description (enterprise semantic search, Text-to-SQL) aligns with the artifacts: it requires FlightSQL connection info and includes vector DB, retriever, and text2sql code. Minor mismatch: SKILL metadata declares only FLIGHT_DB_* as required env vars while documentation and code reference LLM/embedding/rerank configuration (LLM_API_KEY, EMBEDDING_API_KEY, base_url, etc.). This is plausible (DB credentials are mandatory; LLM/embedding may be optional or use local services), but the omission reduces clarity.
Instruction Scope: concernThe runtime code and SKILL.md instruct the agent to read env vars and config files (config.yaml/.env) which is expected. However, main.py and other modules dynamically add parent project paths to sys.path and attempt to import utils.config.CONFIG from a project-level location — this can cause the skill to load configuration from outside the skill bundle (project configs, Nacos configs, or other local files), potentially exposing or using host-level secrets and endpoints. SKILL.md also references a test module (python -m src.test_search) that is not present in the bundle, indicating documentation/code drift.
Install Mechanism: noteThere is no install spec (instruction-only for OpenClaw) and dependencies are listed in requirements.txt. That is lower installer risk than arbitrary downloads, but the dependency list includes non-trivial packages (dashscope, FlagEmbedding, bge-reranker, lancedb, adbc-driver-flightsql) which will pull code from PyPI and may require native builds or network access. No packaged install from unknown URLs was observed.
Credentials: noteDeclared required env vars (FLIGHT_DB_HOST, FLIGHT_DB_PORT, FLIGHT_DB_USER, FLIGHT_DB_PASSWORD) are appropriate for a skill that queries a FlightSQL-backed vector DB. The repository and docs, however, reference additional credentials and internal endpoints (LLM API keys, embedding API keys, several internal IPs/URLs in PROJECT_CONFIG.md). Those additional credentials are not flagged as required in the top-level metadata, which is a documentation inconsistency — in practice Text-to-SQL and query enhancement will need LLM/embedding credentials or reachable local models.
Persistence & Privilege: okThe skill does not request always: true and has no special platform privileges. It does not appear to modify other skills or system-wide agent settings. Normal autonomous invocation is allowed (platform default).