Is researchvault safe?
https://clawhub.ai/lraivisto/researchvault
ResearchVault is a legitimate research orchestration skill with genuine SSRF hardening and security-conscious design choices (disable-model-invocation, scrub_data, SafeSession). However, the install phase triggered reads of sensitive files (.aws/credentials, .env, auth-profiles.json), the pip install -e . pattern allows arbitrary code execution during setup, and the core URL-fetching capability creates data exfiltration and indirect prompt injection vectors. The skill is not malicious but carries meaningful risk from its network-capable design and install-time code execution.
Category Scores
Findings (11)
HIGH Sensitive file reads during installation -52 ▶
During the install phase, the process read .env, .aws/credentials, auth-profiles.json, .profile, and .bashrc. While some of these may be normal OpenClaw runtime behavior, reading AWS credentials and auth profiles during a skill install is a significant concern.
HIGH Arbitrary URL fetching capability -20 ▶
The scuttle subsystem fetches arbitrary user-supplied URLs via SafeSession. While SSRF protections block private networks, the skill can be directed to send HTTP requests to any public endpoint. An attacker could craft a URL that exfiltrates context via query parameters or POST bodies in future connector extensions.
MEDIUM Research queries sent to external Brave Search API -10 ▶
The perform_brave_search function sends research queries to api.search.brave.com. Research topic content and finding titles are used to construct search queries, which could leak sensitive project context to a third-party API.
MEDIUM Incomplete scrub_data regex sanitization -8 ▶
The scrub_data function uses regex patterns to redact sensitive paths and credentials from stored data. Regex-based scrubbing is inherently incomplete — encoded paths, non-standard formats, Windows paths, or obfuscated credentials would bypass these patterns.
MEDIUM Database path override via environment variable -7 ▶
The RESEARCHVAULT_DB environment variable allows overriding the SQLite database location to any arbitrary path. If an attacker can influence environment configuration, they could point the database to sensitive locations or use it for path traversal.
MEDIUM pip install -e . executes arbitrary setup code -30 ▶
The install command runs pip install -e . which executes pyproject.toml build hooks or setup.py. While standard for Python packages, this grants the skill author arbitrary code execution at install time. The pyproject.toml was present but its build system hooks were not fully audited.
MEDIUM Background service capabilities (MCP server, Watchdog) -18 ▶
The skill includes optional background services (mcp_server.py, watchdog.py) that can maintain persistent processes. While they require manual start and disable-model-invocation is set, they expand the attack surface if a user is persuaded to start them.
LOW Indirect prompt injection via fetched content -15 ▶
Content fetched from URLs via the scuttle system is stored in the database and could later be presented to the agent. Attacker-controlled web pages could embed prompt injection payloads in their HTML content that would be stored and later influence agent behavior.
LOW User-Agent string reveals skill identity -3 ▶
HTTP requests include User-Agent: ResearchVault/2.6.2 which identifies the skill and version to remote servers. This is an information disclosure that could help attackers target known vulnerabilities.
INFO Positive: disable-model-invocation set to true -5 ▶
The SKILL.md manifest sets disable-model-invocation: true, which prevents the agent from autonomously invoking skill capabilities. This is a positive security control.
MEDIUM Combination risk with other skills -27 ▶
If combined with a skill that has filesystem write access, the RESEARCHVAULT_DB override and artifact path mechanisms could be chained to write attacker-controlled SQLite data to sensitive locations. The stored research content could also serve as a vector for cross-skill prompt injection.