Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Data Vault
v1.0.18Persist and retrieve structured data using the Lance columnar format. Use when you need to store, query, or analyze data across sessions — such as saving ski...
⭐ 0· 107·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files implement a local CLI for creating, reading, updating, deleting, and backing up Lance datasets under the current directory — this directly matches the 'Data Vault' description. However, the packaging/install metadata uses unusual package names (e.g., 'pylance' rather than 'lance') and declares 'uv' as a required binary/installer which is not standard for a simple Python CLI; that mismatch is unexplained.
Instruction Scope
SKILL.md instructs installation of Python dependencies and running the included scripts. At runtime the skill reads and writes files under the current working directory ('.') and uses a local 'metadata.lance' file and per-dataset folders. It does not request or transmit environment variables, network endpoints, or external tokens in the instructions. Note: storing data on '.' means the skill will read/write any files within the agent's working directory—so run it in an isolated directory if you care about data separation.
Install Mechanism
The install steps bootstrap pip and run 'pip install --upgrade uv' and then use 'uv' to install 'pylance' and 'pandas'. This is nonstandard: 'uv' as an installer/binary is uncommon and may be platform-specific. More importantly, the skill repeatedly insists the Lance PyPI package is named 'pylance' (and warns not to replace it with 'lance'), which is suspicious because 'pylance' is commonly known as a VSCode language server package — this could be a typo/author confusion or it could cause installation of the wrong package. No external download URLs are used, but the package name mismatch creates a supply-chain risk (you may end up installing an unrelated package).
Credentials
The skill declares no required environment variables, no credentials, and no config paths beyond using the current working directory. That is appropriate for a local data store. There are no requests for unrelated secrets.
Persistence & Privilege
The skill is not forced-always and is user-invocable. It persists data to disk under the current directory (per its design) but does not attempt to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not unusual here.
What to consider before installing
This skill's code implements a local Lance-based dataset CLI that stores data under the agent's current directory, which aligns with its description. The main red flag is the install instructions: they use a nonstandard 'uv' installer and insist on a PyPI package named 'pylance' (claimed to provide the 'lance' module). Before installing or running, do one of the following: (1) verify on PyPI that the intended Lance package name is correct (installing the wrong package could pull unrelated code), (2) ask the author to confirm the use of 'pylance' vs 'lance' and why 'uv' is required, or (3) run the skill in a disposable/sandboxed environment (container or VM) and inspect what pip installs. Also run the CLI from an isolated directory to avoid accidental reads/writes to other files. If the author confirms the package names and installer are intentional and you can inspect the installed packages, this would likely move the assessment toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97ckfcp6v7322pty8wy7b6pe583na5t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, uv, pip
Install
Install pylance (Lance columnar format) via uv
uv tool install pylanceInstall pandas via uv
uv tool install pandas