Back to skill
Skillv0.4.0
ClawScan security
Kivo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 3:10 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code largely matches a knowledge-management engine, but registry metadata and SKILL.md omit important runtime requirements and the package will persist conversation data to disk and may build native modules—these mismatches and persistence behaviors merit caution before installing.
- Guidance
- This package appears to implement a full local knowledge engine and will persist agent messages and document extracts to a SQLite database and may build native modules during npm install. Before installing: 1) Verify the package publisher / npm package name and integrity (checksum/signature) — do not blindly run npm install on an untrusted package. 2) Expect it to persist conversational data by default (OpenClawAdapter → ~/.openclaw/...); change dbPath to an isolated directory if you do not want chats written into your home/workspace. 3) Do not provide high-privilege API keys (e.g., your primary OpenAI key) to a package you haven't audited; consider using a limited-scope key or a local embedding provider. 4) Review bootstrap behavior: it creates an admin user and the provided bootstrap hash is a simple custom hash — ensure you set a strong admin password and inspect how passwords/sessions are stored. 5) If you plan to run in production, audit the source files (or the published npm package) for any network calls, telemetry, or undisclosed endpoints and confirm no secrets are transmitted to third parties. If you want, I can list the files that touch the filesystem, network, or read environment variables so you can inspect them more quickly.
Review Dimensions
- Purpose & Capability
- noteThe package code and README implement a knowledge-extraction, storage (SQLite), search, conflict-resolution, and adapter system that matches the stated purpose. However the registry metadata declares no required environment variables or credentials while the code and README clearly reference runtime configuration (e.g., KIVO_EMBEDDING_PROVIDER, KIVO_EMBEDDING_API_KEY, AUTH_PASSWORD) and provide an OpenClaw adapter that defaults to storing the DB under the user's ~/.openclaw workspace. The absence of declared env requirements in metadata is an incoherence worth flagging.
- Instruction Scope
- concernSKILL.md instructs installing and calling the library (npm install, npx kivo init), and the code contains adapters that will automatically ingest session messages (OpenClawAdapter.onSessionMessage → kivo.ingest) and persist extracted knowledge. That means agent conversations and other ingested inputs can be stored on disk and broadcast via an EventBus. The instructions do not explicitly call this out as a persistent collection of chat content, which may be surprising and could capture sensitive data if used without caution.
- Install Mechanism
- concernThe registry lists no install spec (instruction-only), but the package contains a full codebase and README that suggest npm installation. The project depends on native-building modules (better-sqlite3) and crypto/crypto-adjacent libraries (bcryptjs) which will run build steps at install time and require Node >= 20. Installing from an unknown/unverified package name and building native modules increases risk: check package provenance, signatures, and the exact npm package published under the name before running npm install.
- Credentials
- concernAlthough the registry lists no required env vars, the code/README expect environment variables for embedding/LLM providers and a web AUTH_PASSWORD (KIVO_EMBEDDING_PROVIDER, KIVO_EMBEDDING_API_KEY, KIVO_EMBEDDING_MODEL, AUTH_PASSWORD). Requesting an embedding API key (potentially an OpenAI key) is proportionate to semantic search capabilities, but the omission from metadata is misleading. Also the bootstrap flow will create an admin account (the bootstrap code uses a simple custom hash fallback) — you should ensure a secure password and understand where credentials are stored.
- Persistence & Privilege
- noteThe skill does not set always:true and does not itself claim extra platform privileges, but its adapters and bootstrap code write persistent data (SQLite DB) to disk by default (notably ~/.openclaw/workspace/state/kivo.db for the OpenClaw adapter). The skill can be invoked autonomously (default) and will persist ingested content and emit events; this is expected for a knowledge store but increases blast radius for sensitive conversation data.