ClawHub

Claw SQLite Knowledge

v1.0.2

Knowledge base skill that wraps the clawsqlite knowledge CLI for ingest/search/show.

0· 303·0 current·0 all-time
by@ernestyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description match what it installs and runs: it bootstraps the clawsqlite PyPI package and invokes `python -m clawsqlite_cli knowledge ...`. Required binary (python) and the pip install of clawsqlite are proportional to a CLI wrapper. Minor doc-version text differences (0.1.x vs 1.0.2) are present but not material.
Instruction Scope
SKILL.md and run_clawknowledge.py instruct only to run the clawsqlite knowledge CLI and forward JSON payloads (ingest/search/show/report). The runtime does not read unrelated system files or environment secrets. It may use configured scraper or embedding providers (per clawsqlite settings) which is expected for this skill.
Install Mechanism
Installation uses a small bootstrap script that runs pip to install `clawsqlite>=1.0.2`, with a workspace-prefix fallback. This is a standard PyPI install (moderate risk but expected); no downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill itself declares no required env vars or credentials. It reads/processes the environment only to add a workspace site-packages path to PYTHONPATH. However, functionality (embeddings, scrapers, small LLMs) depends on the external clawsqlite configuration (EMBEDDING_*, CLAWSQLITE_SCRAPE_CMD, etc.) that may require API keys or network access — this is expected but you should review embedding/scraper configuration before enabling.
Persistence & Privilege
The skill does not request always:true and will not auto-enable itself globally. It writes a workspace-local prefix (.clawsqlite-venv) if pip falls back, which is normal for a skill installing a Python package; it does not modify other skills or system-wide configs.
Scan Findings in Context
[no_findings] expected: Static pre-scan found no injection signals. The code does call subprocess.run to invoke the trusted clawsqlite CLI; this is expected behavior for a CLI wrapper.
Assessment
This skill is a thin wrapper around the public clawsqlite PyPI package and appears internally consistent. Before installing: (1) review and trust the upstream clawsqlite package on PyPI/GitHub; the bootstrap runs pip install, so a compromised package would be consequential; (2) run `clawsqlite knowledge doctor --json` (as recommended) to inspect required paths and embedding/LLM configuration; (3) be aware that embedding providers or scrapers (if you enable them) may require API keys and will contact network endpoints — review and control those env vars (EMBEDDING_*, CLAWSQLITE_SCRAPE_CMD) and provider settings before use; (4) if you prefer, run the bootstrap step manually to see what pip installs and whether the workspace prefix is used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fg6tc22kmt17c8zkgr88ec584f72y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython

Comments