ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Search Dashvector

v1.0.3

Build vector retrieval with DashVector using the Python SDK. Use when creating collections, upserting docs, and running similarity search with filters in Cla...

0· 1.1k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description references Alibaba Cloud AI Search but the SKILL.md and code consistently use DashVector and environment variables named DASHVECTOR_*. The registry metadata lists no required env vars while the runtime clearly requires DASHVECTOR_API_KEY and DASHVECTOR_ENDPOINT. These naming/metadata mismatches reduce confidence in provenance and intent.
Instruction Scope
SKILL.md and scripts stay within the stated functionality: creating collections, upserting documents, and running similarity queries. However the provided quickstart script performs mutating operations (create + upsert) by default — not read-only — so callers should confirm intent and permissions before running. Instructions also ask to save evidence files (output/...), which is reasonable for reproducibility but will write local artifacts.
Install Mechanism
This is an instruction-only skill with no install spec; it recommends pip installing the dashvector package in a venv. No network downloads from unusual URLs or archive extraction are present in the package itself.
!
Credentials
Runtime requires two environment variables (DASHVECTOR_API_KEY and DASHVECTOR_ENDPOINT) which are proportionate to the task. However the skill metadata declared no required env vars — an inconsistency that could hide runtime prerequisites. No additional unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request persistent agent-wide privileges or modify other skills. Autonomous invocation is allowed by default but is not by itself a red flag here.
What to consider before installing
This skill appears to implement DashVector-based vector store operations, but several inconsistencies mean you should proceed cautiously. Before installing or running it: - Confirm the provider: the skill name mentions Alibaba Cloud but the code uses DashVector — verify which service and endpoint you intend to use. - Set up a throwaway/test account or isolated project before running the quickstart, since the script will create a collection and upsert documents (mutating operations). - Provide the DASHVECTOR_API_KEY and DASHVECTOR_ENDPOINT only for an account you control; do not reuse sensitive credentials. - Because the registry metadata omits required env vars and there is no homepage/source URL, prefer to obtain an official SDK or documentation from the vendor and compare; ask the publisher for a source repository or official docs. - If you need higher assurance, request the publisher to fix metadata (declare required env vars, clarify provider), add a homepage/repo link, and provide a read-only validation mode before mutating resources. What would change this assessment: publisher-provided homepage/source, corrected metadata listing the required DASHVECTOR env vars, and explicit documentation tying DashVector usage to Alibaba Cloud (or correcting the name) would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk976th5zgse596h3pb6h8388zn82ptzz
1.1kdownloads
0stars
4versions
Updated 23h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: provider

DashVector Vector Search

Use DashVector to manage collections and perform vector similarity search with optional filters and sparse vectors.

Prerequisites

  • Install SDK (recommended in a venv to avoid PEP 668 limits):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashvector
  • Provide credentials and endpoint via environment variables:
    • DASHVECTOR_API_KEY
    • DASHVECTOR_ENDPOINT (cluster endpoint)

Normalized operations

Create collection

  • name (str)
  • dimension (int)
  • metric (str: cosine | dotproduct | euclidean)
  • fields_schema (optional dict of field types)

Upsert docs

  • docs list of {id, vector, fields} or tuples
  • Supports sparse_vector and multi-vector collections

Query docs

  • vector or id (one required; if both empty, only filter is applied)
  • topk (int)
  • filter (SQL-like where clause)
  • output_fields (list of field names)
  • include_vector (bool)

Quickstart (Python SDK)

import os
import dashvector
from dashvector import Doc

client = dashvector.Client(
    api_key=os.getenv("DASHVECTOR_API_KEY"),
    endpoint=os.getenv("DASHVECTOR_ENDPOINT"),
)

# 1) Create a collection
ret = client.create(
    name="docs",
    dimension=768,
    metric="cosine",
    fields_schema={"title": str, "source": str, "chunk": int},
)
assert ret

# 2) Upsert docs
collection = client.get(name="docs")
ret = collection.upsert(
    [
        Doc(id="1", vector=[0.01] * 768, fields={"title": "Intro", "source": "kb", "chunk": 0}),
        Doc(id="2", vector=[0.02] * 768, fields={"title": "FAQ", "source": "kb", "chunk": 1}),
    ]
)
assert ret

# 3) Query
ret = collection.query(
    vector=[0.01] * 768,
    topk=5,
    filter="source = 'kb' AND chunk >= 0",
    output_fields=["title", "source", "chunk"],
    include_vector=False,
)
for doc in ret:
    print(doc.id, doc.fields)

Script quickstart

python skills/ai/search/alicloud-ai-search-dashvector/scripts/quickstart.py

Environment variables:

  • DASHVECTOR_API_KEY
  • DASHVECTOR_ENDPOINT
  • DASHVECTOR_COLLECTION (optional)
  • DASHVECTOR_DIMENSION (optional)

Optional args: --collection, --dimension, --topk, --filter.

Notes for Claude Code/Codex

  • Prefer upsert for idempotent ingestion.
  • Keep dimension aligned to your embedding model output size.
  • Use filters to enforce tenant or dataset scoping.
  • If using sparse vectors, pass sparse_vector={token_id: weight, ...} when upserting/querying.

Error handling

  • 401/403: invalid DASHVECTOR_API_KEY
  • 400: invalid collection schema or dimension mismatch
  • 429/5xx: retry with exponential backoff

Validation

mkdir -p output/alicloud-ai-search-dashvector
for f in skills/ai/search/alicloud-ai-search-dashvector/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-ai-search-dashvector/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-search-dashvector/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-search-dashvector/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • DashVector Python SDK: Client.create, Collection.upsert, Collection.query

  • Source list: references/sources.md

Comments

Loading comments...