Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memory LanceDB Setup
v1.0.0Configure OpenClaw's memory-lancedb plugin to enable local semantic vector memory using LanceDB and an OpenAI-compatible embedding provider.
⭐ 0· 178·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match what the skill asks you to do: enable the memory-lancedb plugin, configure an OpenAI-compatible embedding endpoint, install @lancedb packages, and patch a native binding issue on Apple Silicon. All requested actions and files are relevant to that goal.
Instruction Scope
SKILL.md instructs the user to run openclaw config set commands, npm installs under /usr/local/lib/node_modules/openclaw, and a local Python patch script that edits a packaged native.js. These actions are within the plugin's scope but do modify system-installed package files and write the embedding API key into OpenClaw config (plaintext in config commands). The instructions do not read or transmit unrelated files or secrets to external endpoints beyond the embedding provider endpoint the user configures.
Install Mechanism
This is an instruction-only skill (no remote install). The only install actions are npm install commands that the user is told to run. The included Python patch script edits a file under node_modules; no third-party downloads or obscure URLs are embedded in the skill files.
Credentials
The skill declares no required environment variables or credentials. It instructs the user to obtain an embedding API key and place it into OpenClaw's config, which is proportional to configuring an embedding provider. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill does not request 'always' presence and does not contain autonomous privileges beyond normal skill behavior. However it instructs patching a third-party package file inside system node_modules (writes to /usr/local/...), which requires filesystem privileges and is persistent until changed; backup and caution are advised.
Assessment
This skill appears to do what it says — install LanceDB bindings and patch a packaging bug — but it will modify system-installed node_modules and store an embedding API key in OpenClaw's config. Before running anything: (1) confirm OpenClaw is actually installed at the path used in the instructions (or update commands to your install path); (2) back up the target native.js (e.g., copy /usr/local/lib/node_modules/openclaw/extensions/memory-lancedb/node_modules/@lancedb/lancedb/dist/native.js to native.js.bak) so you can revert; (3) run npm installs with the correct architecture package and only from the official npm registry; (4) inspect the included patch_native.py locally before running it (it performs a simple text replace but will write to system files); (5) be aware that putting API keys into application config may store them in plaintext — consider whether OpenClaw has a secure secret store or prefer environment-based secrets where supported; and (6) prefer an upstream fix or official package if available rather than long-term local patches. If any of these steps or paths look unfamiliar (different install path, different LanceDB layout, or unexpected native.js content), stop and investigate before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk97cst3xkqp3mft04fkgfh99v183vfz2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.