Research Logger Pro

Auto-saves deep search results to SQLite and Langfuse. Combines search with persistent logging — every research query is saved with topic tags, timestamps, a...

This skill largely does what it claims (logs Perplexity search results to a local SQLite DB and to Langfuse tracing), but it ships with hard-coded Langfuse keys and a default Langfuse host that will cause your research queries and results to be sent to that tracing instance by default. Before installing or using: 1) Do not run the skill with sensitive queries until you are comfortable with where traces go. 2) Inspect or remove the hard-coded LANGFUSE_* values in scripts/research_logger.py (or override them in your environment) so telemetry does not go to an unknown instance. 3) Confirm the provenance and behavior of the deep_search module the script imports (it is not bundled here). 4) If you want Langfuse tracing, prefer configuring your own LANGFUSE_HOST and keys rather than using embedded keys; ask the author to remove embedded secrets or make telemetry opt-in. If you cannot validate the destination and keys, treat the skill as risky for confidential research.

Type: OpenClaw Skill Name: research-logger-pro Version: 1.0.0 The skill bundle is classified as suspicious due to two main security concerns found in `scripts/research_logger.py`. Firstly, it hardcodes Langfuse API keys (e.g., `sk-lf-115cb6b4-7153-4fe6-9255-bf28f8b115de`), which is a vulnerability as it exposes credentials. Secondly, the script imports and passes unsanitized user input (`args.query`) to an unprovided external script, `deep_search.py`. While `research_logger.py` itself uses parameterized queries to prevent SQL injection in its SQLite operations, the unknown implementation of `deep_search.py` creates a significant blind spot and a potential shell injection vulnerability if it executes the query in a shell. There is no evidence of intentional malicious behavior like data exfiltration or persistence.