Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lance Store
v1.0.12Persist and retrieve structured data using the Lance columnar format. Use when you need to store, query, or analyze data across sessions — such as saving ski...
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (scripts/*.py) implements local dataset creation, append/read/update/delete, metadata management, and uses a 'lance' Python module to operate on local files — this matches the skill's stated purpose of persisting structured data in Lance format. However, the install/requirements references a PyPI package named 'pylance' (and the README/requirements.txt comment insists 'pylance' is the package that provides the 'lance' module). That naming mismatch is unexpected and reduces confidence that the install instructions map cleanly to the runtime imports.
Instruction Scope
SKILL.md and the CLI scripts operate on the current working directory only, list and read local 'metadata.lance', and provide explicit commands; there are no instructions to read unrelated system files, environment variables, or to transmit data to external endpoints. The code includes input validation (dataset name / backup path checks) to mitigate path traversal.
Install Mechanism
The registry install block and requirements.txt ask for 'pylance' via an installer labelled 'uv' and for 'pandas'. 'pylance' is an unusual name for a Lance-format runtime dependency (it is also the name of a Microsoft VSCode language server), so this could be a naming mistake, a confusing wrapper, or an incorrect package. The install mechanism 'uv' is non-standard/ambiguous in this context. These inconsistencies could cause the installed packages not to provide the expected 'lance' module, or — in the worst case — install an unrelated package. No arbitrary download URLs are present, which reduces highest-risk concerns, but the package-name ambiguity is a real red flag to verify.
Credentials
The skill requests no environment variables, no external credentials, and no config paths. All filesystem access is scoped to the current working directory; the code does read and write local dataset directories and metadata files, which is appropriate for a storage skill.
Persistence & Privilege
always: false and the skill does not request permanent elevated platform privileges. It creates and modifies files under the current working directory (data and metadata files) but does not modify other skills, global config, or system-wide settings.
What to consider before installing
Before installing or running this skill, verify the package and installer mapping: 1) Check PyPI (or the source the platform will use) to confirm that the package named 'pylance' actually provides the 'lance' Python module expected by the code — if 'pylance' is a typo or a different package, the skill may fail or install an unrelated package. 2) Ask the publisher/developer to explain the 'uv' installer kind (how it resolves packages) and why 'pylance' is used instead of a package named 'lance'. 3) Run this skill in an isolated/sandbox environment (not on a production host) and inspect what packages are installed and the installed package source. 4) If you proceed, run small tests in a temporary directory to confirm datasets are created only where you expect. If the developer confirms that 'pylance' is intentionally the correct PyPI package for the Lance runtime and explains the installer, the concerns here would likely be resolved and the skill could be considered coherent.Like a lobster shell, security has layers — review code before you run it.
latestvk976bpzm7dfqsbw5zvw9404x1h83e7jw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
Install
Install pylance (Lance columnar format) via uv
uv tool install pylanceInstall pandas via uv
uv tool install pandas