Pinecone

Pinecone vector database — manage indexes, upsert vectors, query similarity search, manage namespaces, and track collections via the Pinecone API. Build sema...

This skill's purpose (Pinecone CLI) is reasonable and the single required secret (PINECONE_API_KEY) matches the purpose — but the script reads a local .env file at WORKSPACE or ~/.openclaw/workspace/.env to find that key if the environment variable is missing. That local-file access is not documented in SKILL.md. Actionable steps before installing or using: 1) Inspect or run the script in an isolated environment (container/VM). 2) If you store secrets in ~/.openclaw/workspace/.env, be aware the skill will read it; consider rotating the Pinecone key or removing it from that file. 3) Ask the publisher to declare the .env fallback in SKILL.md (or remove the fallback) and to fix the HTTP method/path bugs — the current implementation appears buggy and may fail or behave unexpectedly. 4) If you don't trust the author, avoid installing; else test with a limited-scoped Pinecone key and monitor network requests. If you want, I can point out the exact lines to change to remove the .env fallback and to correct the API calls.

Type: OpenClaw Skill Name: pinecone Version: 1.0.0 The skill bundle is classified as suspicious due to a complete mismatch between the documented functionality in SKILL.md and the actual implementation in scripts/pinecone.py. The Python script contains non-functional code that uses incorrect HTTP methods (e.g., GET for upsert and query operations) and invalid API paths that do not match the official Pinecone API. Furthermore, the command functions ignore the input arguments provided by the user, rendering the skill non-functional for its stated purpose. While the script targets the legitimate api.pinecone.io domain and lacks explicit exfiltration logic, the collection of the PINECONE_API_KEY from the environment or .env files by a non-functional script is highly irregular.