ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kb Mini

v1.3.0

Store, search, and automatically manage a personal or shared knowledge base integrated with OpenClaw through before/after hooks.

0· 78·0 current·0 all-time
byThomas Lau@thomasliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the delivered artifacts: scripts implement storage, retrieval, hooks, and lifecycle for a local SQLite FTS5 knowledge base. Declared runtime deps in SKILL.md (bash, sqlite3, python3) are consistent with the shipped code. However there are small inconsistencies between documentation and code: SKILL.md describes a default path under ~/.openclaw/workspace/skills/kb-mini/data/knowledge.db, while scripts default to $HOME/.openclaw/agents/current/knowledge.db and other locations; that mismatch should be resolved so users know where data will actually be stored.
!
Instruction Scope
The SKILL.md and hooks/lifecycle scripts direct the agent to automatically recall before a conversation and capture after each turn. That means conversation content and derived decisions can be written to disk without an explicit user action. The scripts embed user/agent text into SQL statements and topic keys without proper escaping or parameterization (e.g., topic_key interpolated directly into sqlite3 queries), creating risk of local SQL injection or accidental DB corruption from crafted content. The skill also provides 'shared KB' behavior where multiple agents can read/write the same DB — this expands the data-access scope and can leak cross-agent data if enabled.
Install Mechanism
There is no install spec (instruction-only), so the skill does not download arbitrary third-party binaries during install. The security surface is limited to the shipped scripts which will run on invocation; this is lower risk than executing code downloaded at install time, but runtime behavior still matters.
!
Credentials
Registry metadata lists no required env vars or config paths, yet SKILL.md and scripts rely on many environment variables (KNOWLEDGE_DB, KNOWLEDGE_KB_MODE, KNOWLEDGE_SHARED_NAME, AGENT_DIR, OPENCLAW_USER_MESSAGE, etc.). The skill will read/write filesystem locations under home and agent directories (e.g., ~/.openclaw/shared/knowledge-bases/...), but those config paths were not declared in metadata. Asking for or using broad filesystem paths and shared DBs is proportionate for a KB skill, but the lack of declared config requirements and the default to agent-shared locations is a privacy/clarity concern.
Persistence & Privilege
The skill is not force-included (always: false) and uses standard autonomous invocation for hooks (normal). However, its purpose is to auto-run on hooks (before_agent_start / after_turn) and persist conversation content. That persistent, automatic capture — especially when shared-KB mode is enabled — increases the blast radius of any mistakes or abuse. The skill does not modify other skills' configs but will create and write DB files in user/agent directories.
What to consider before installing
What to check before installing: - Understand where the DB will live: the SKILL.md and scripts disagree on default paths. Inspect (and optionally set) KNOWLEDGE_DB and KNOWLEDGE_KB_MODE to ensure data is private and stored where you expect (set mode=private and a controlled DB path if unsure). - This skill auto-recalls before conversations and auto-captures after turns. If you do not want every conversation persisted, disable the hooks or raise the capture threshold (or avoid installing the generated hook scripts). - Review the scripts for unsafe interpolation: topic_key and other values are interpolated into sqlite3 commands without parameterization. Consider hardening (use parameterized sqlite3 access from Python or properly escape inputs) to avoid local SQL injection or DB corruption from crafted messages. - Shared KB mode allows multiple agents to read/write the same DB — enable only when you explicitly want cross-agent sharing and after you trust all participating agents. - Test in a sandbox: run the scripts on a throwaway agent and inspect the created DB and files. Verify sqlite3 on your system supports FTS5 (it is required). - If you plan to use this skill, consider adding explicit required config/env declarations and limit hook registration to manually enabled hooks so captures are explicit rather than automatic. Why 'suspicious' and not 'malicious': the code implements the advertised KB functionality and uses no unexpected network endpoints, but the undeclared config/env usage, automatic persistence across agents, and unsafe string interpolation are notable coherence and safety issues that should be fixed or accepted knowingly before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pwpz14x58emqd38x0hwftd83c95k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments