Sirchmunk
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local file-search wrapper, but users should scope what it can search and protect the LLM credentials used by the Sirchmunk service.
Install only if you trust the Sirchmunk package and are comfortable running its local server. Configure a narrow `SIRCHMUNK_SEARCH_PATHS`, avoid searching folders with secrets, and use a protected, appropriate LLM API key/base URL for any content that may be processed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill’s prerequisite package gives code from the Python package source a role in local file search.
The skill depends on an external Python package and local server that are not included in the reviewed files; this is expected for the stated integration but means the package provenance and updates matter.
Sirchmunk installed: `pip install sirchmunk`
Install Sirchmunk from a trusted source, review the referenced project if needed, and keep the dependency updated or pinned in controlled environments.
The configured LLM account may be used when searches are run.
The Sirchmunk service requires LLM provider credentials/configuration. This is purpose-aligned for LLM-powered search, but it is not declared in the registry metadata.
Config: `~/.sirchmunk/.env`, `LLM_API_KEY`、`LLM_BASE_URL` and `LLM_MODEL_NAME` are required.
Use a dedicated or least-privileged API key where possible, keep `~/.sirchmunk/.env` private, and confirm the configured LLM provider is acceptable for the files being searched.
Search results may reveal private local file contents to the agent session and may be processed according to the configured LLM endpoint.
Search scope can be set through configuration or a parameter, so retrieved local file contents may enter the agent’s context and, depending on Sirchmunk/LLM settings, model processing.
The `paths` parameter requires pre-configuration as `SIRCHMUNK_SEARCH_PATHS` or inclusion as a search parameter.
Configure only the directories you intend to search, exclude secrets or sensitive folders, and review search results before relying on them in downstream actions.
Unusual query text or path values could cause failed searches or unexpected request formatting.
The shell wrapper interpolates query and path values directly into JSON. This is not shell execution, but quotes or special characters in inputs could break or alter the local search request.
\"query\": \"$QUERY\",\n \"paths\": $PATHS_JSON,
Use normal search text and trusted paths; maintainers should build the JSON payload with a proper JSON encoder such as `jq` or Python.