Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
KnowMine
v1.2.0Save and search personal notes, decisions, and insights with semantic search via MCP. Use this skill when users want to remember things across conversations,...
⭐ 0· 291·0 current·0 all-time
byYING99@yiing99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (personal semantic notes via MCP) matches the runtime instructions and the single credential (KNOWMINE_API_KEY) the SKILL.md says is required. However the registry metadata earlier listed no required env vars while the SKILL.md demands KNOWMINE_API_KEY — this metadata mismatch is unexpected and should be clarified.
Instruction Scope
Instructions restrict network endpoints to knowmine.ai and describe the MCP API and tools, which is appropriate. But the SKILL.md also states 'Embeddings: OpenAI text-embedding-3-small' and elsewhere claims 'no third‑party data sharing' — these statements conflict: if embeddings are generated via OpenAI, user content may be forwarded to OpenAI, which is a third party. The skill gives no explicit guidance about what user data is sent to embedding providers or whether embeddings are computed entirely server-side under KnowMine's control.
Install Mechanism
This is an instruction-only skill with no install spec or shipped code, so there is nothing written to disk by the skill itself. SKILL.md suggests using 'npx clawhub@latest install knowmine' (an external install command) but no downloads or extracts are embedded in the skill — install risk is low from the skill bundle itself.
Credentials
SKILL.md requires a single service credential (KNOWMINE_API_KEY), which is proportional for a hosted personal-knowledge service. But the registry metadata omitted this requirement (incoherent). Also the mention of OpenAI embeddings raises the question whether an OpenAI key or other credentials are needed or whether KnowMine will forward user content to OpenAI on the backend — that data flow is not documented and could increase credential/privilege needs or privacy exposure.
Persistence & Privilege
The skill does not request always-on presence and uses default autonomous invocation settings. It does not declare modifications to other skills or system-wide settings. No elevated persistence privileges are requested in the provided metadata or instructions.
What to consider before installing
Before installing: 1) Confirm the metadata mismatch — ask the publisher why the registry listed no env vars but SKILL.md requires KNOWMINE_API_KEY. 2) Clarify the data flow for embeddings: does KnowMine send your content to OpenAI (or other third parties) to compute embeddings? If so, what is their privacy policy and can you opt out or use a self‑hosted embedding provider? 3) Verify the website and GitHub repo links, check the /api/mcp/health endpoint over HTTPS, and prefer testing with non‑sensitive dummy notes first. 4) Ensure the API key can be rotated/revoked and has limited scope; do not store secrets you wouldn’t want sent to a third party. 5) If you need a stricter privacy model, ask whether self‑hosting or an alternative that keeps embeddings local is available. If the publisher cannot clearly answer these points, treat the skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk973jmxb721pm2d4sg0r97esx582y87f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.