Alicloud Ai Search Dashvector
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent may act on the DashVector resources allowed by the provided API key.
The skill uses a cloud provider API key and endpoint, which is expected for DashVector access but gives the agent delegated access to that service.
Provide credentials and endpoint via environment variables: - `DASHVECTOR_API_KEY` - `DASHVECTOR_ENDPOINT`
Use a least-privilege DashVector key, keep it in environment variables rather than chat, and verify the endpoint and collection before allowing mutating actions.
Running the quickstart or following the workflow can create a collection and insert sample records in the configured DashVector account.
The included quickstart performs create, upsert, and query operations against DashVector; these are aligned with the skill purpose but include cloud-side mutations.
ret = client.create(...) ... ret = collection.upsert(docs) ... ret = collection.query(
Run mutating examples only against a test or intended collection, confirm parameters first, and prefer the documented read-only connectivity check before writes.
A future package version could behave differently from the version the skill author tested.
The skill instructs users to install the DashVector SDK, but the package version is not pinned; this is normal for an SDK-based provider skill but is a supply-chain consideration.
python -m pip install dashvector
Install in a virtual environment, verify the package source, and consider pinning a known-good dashvector version for production use.
Sensitive or poorly scoped data inserted into DashVector may be retrieved in later searches or mixed with other tenants/datasets if filters are not used carefully.
The skill is designed to store document vectors and fields in a vector index, which can persist and later affect retrieval results.
Upsert docs
- `docs` list of `{id, vector, fields}` or tuplesAvoid uploading sensitive data unless authorized, use tenant or dataset filters, and define retention/deletion practices for stored vectors and fields.