Aliyun Opensearch Search
v1.0.0Use when working with OpenSearch vector search edition via the Python SDK (ha3engine) to push documents and run HA/SQL searches. Ideal for RAG and vector ret...
⭐ 0· 6·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and scripts clearly require OpenSearch connection credentials and configuration (OPENSEARCH_ENDPOINT, OPENSEARCH_INSTANCE_ID, OPENSEARCH_USERNAME, OPENSEARCH_PASSWORD, OPENSEARCH_DATASOURCE, etc.), which are appropriate for the described OpenSearch functionality. However, the registry metadata declares no required environment variables or primary credential — that mismatch is an incoherence that should be clarified before installation.
Instruction Scope
Instructions stay within the stated purpose (install SDK, push documents, run HA/SQL searches). However: (1) the quickstart code sets protocol='http' (plaintext) for the client, which can expose credentials in transit; (2) the workflow asks agents to save 'key parameters' (region/resource id/time range) and artifacts to disk under an output directory — this is plausible for reproducibility but can lead to persistent sensitive artifacts if not handled carefully. The instructions also rely on environment variables that are not declared in metadata.
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only). SKILL.md recommends installing the official-looking pip package alibabacloud-ha3engine in a venv. This is a standard, low-risk approach provided the package source/version is validated before install.
Credentials
The environment variables the skill needs (endpoint, instance id, username, password, datasource, pk field, optional cluster) are proportionate to the OpenSearch use case. But the metadata declaring 'Required env vars: none' is inconsistent with reality. Also OPENSEARCH_PASSWORD is a secret; the code's use of HTTP (not HTTPS) increases the risk of credential exposure in transit.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or permanent presence. It writes artifacts to an output/aliyun-opensearch-search directory per instructions, which is normal for a quickstart but should be treated as potentially sensitive storage.
What to consider before installing
This skill appears to do what it says (push/search OpenSearch) but there are important issues to verify before installing/using it:
- Metadata vs reality: the registry metadata does not list any required env vars, but the SKILL.md and quickstart.py require several credentials (OPENSEARCH_ENDPOINT, OPENSEARCH_INSTANCE_ID, OPENSEARCH_USERNAME, OPENSEARCH_PASSWORD, OPENSEARCH_DATASOURCE, etc.). Ask the publisher to correct metadata or document why credentials are omitted.
- Transport security: quickstart.py configures protocol='http' (plaintext). Prefer HTTPS/TLS to avoid leaking credentials. If your endpoint supports TLS, modify the code/config to use https and verify certs.
- Least privilege for credentials: use short-lived credentials, scoped service accounts, or token-based/role auth where possible rather than long-lived username/password stored in environment variables.
- Validate package provenance: pip-installing alibabacloud-ha3engine is expected, but confirm the package name/version and source (PyPI/official) before installing. Inspect the package or pin a known-good version.
- Artifact handling: the skill instructs saving outputs and 'key parameters' to disk. Ensure output directories do not contain secrets and are stored in a secure location or cleaned after use.
- Run in isolation: use a virtual environment or isolated container and run a read-only connectivity check first (as the workflow suggests). Monitor network egress and logs during initial runs.
- Ask for clarification: request the publisher update the registry metadata to list required env vars and explain the transport/protocol choice.
If these concerns are addressed (metadata fixed, TLS enforced, credentials handled via least-privilege mechanisms), the skill is coherent and appropriate for its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Category: provider
OpenSearch Vector Search Edition
Use the ha3engine SDK to push documents and execute HA/SQL searches. This skill focuses on API/SDK usage only (no console steps).
Prerequisites
- Install SDK (recommended in a venv to avoid PEP 668 limits):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install alibabacloud-ha3engine
- Provide connection config via environment variables:
OPENSEARCH_ENDPOINT(API domain)OPENSEARCH_INSTANCE_IDOPENSEARCH_USERNAMEOPENSEARCH_PASSWORDOPENSEARCH_DATASOURCE(data source name)OPENSEARCH_PK_FIELD(primary key field name)
Quickstart (push + search)
import os
from alibabacloud_ha3engine import models, client
from Tea.exceptions import TeaException, RetryError
cfg = models.Config(
endpoint=os.getenv("OPENSEARCH_ENDPOINT"),
instance_id=os.getenv("OPENSEARCH_INSTANCE_ID"),
protocol="http",
access_user_name=os.getenv("OPENSEARCH_USERNAME"),
access_pass_word=os.getenv("OPENSEARCH_PASSWORD"),
)
ha3 = client.Client(cfg)
def push_docs():
data_source = os.getenv("OPENSEARCH_DATASOURCE")
pk_field = os.getenv("OPENSEARCH_PK_FIELD", "id")
documents = [
{"fields": {"id": 1, "title": "hello", "content": "world"}, "cmd": "add"},
{"fields": {"id": 2, "title": "faq", "content": "vector search"}, "cmd": "add"},
]
req = models.PushDocumentsRequestModel({}, documents)
return ha3.push_documents(data_source, pk_field, req)
def search_ha():
# HA query example. Replace cluster/table names as needed.
query_str = (
"config=hit:5,format:json,qrs_chain:search"
"&&query=title:hello"
"&&cluster=general"
)
ha_query = models.SearchQuery(query=query_str)
req = models.SearchRequestModel({}, ha_query)
return ha3.search(req)
try:
print(push_docs().body)
print(search_ha())
except (TeaException, RetryError) as e:
print(e)
Script quickstart
python skills/ai/search/aliyun-opensearch-search/scripts/quickstart.py
Environment variables:
OPENSEARCH_ENDPOINTOPENSEARCH_INSTANCE_IDOPENSEARCH_USERNAMEOPENSEARCH_PASSWORDOPENSEARCH_DATASOURCEOPENSEARCH_PK_FIELD(optional, defaultid)OPENSEARCH_CLUSTER(optional, defaultgeneral)
Optional args: --cluster, --hit, --query.
SQL-style search
from alibabacloud_ha3engine import models
sql = "select * from <indexTableName>&&kvpair=trace:INFO;formatType:json"
sql_query = models.SearchQuery(sql=sql)
req = models.SearchRequestModel({}, sql_query)
resp = ha3.search(req)
print(resp)
Notes for Claude Code/Codex
- Use
push_documentsfor add/delete updates. - Large query strings (>30KB) should use the RESTful search API.
- HA queries are fast and flexible for vector + keyword retrieval; SQL is helpful for structured data.
Error handling
- Auth errors: verify username/password and instance access.
- 4xx on push: check schema fields and
pk_fieldalignment. - 5xx: retry with backoff.
Validation
mkdir -p output/aliyun-opensearch-search
for f in skills/ai/search/aliyun-opensearch-search/scripts/*.py; do
python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-opensearch-search/validate.txt
Pass criteria: command exits 0 and output/aliyun-opensearch-search/validate.txt is generated.
Output And Evidence
- Save artifacts, command outputs, and API response summaries under
output/aliyun-opensearch-search/. - Include key parameters (region/resource id/time range) in evidence files for reproducibility.
Workflow
- Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
- Run one minimal read-only query first to verify connectivity and permissions.
- Execute the target operation with explicit parameters and bounded scope.
- Verify results and save output/evidence files.
References
-
SDK package:
alibabacloud-ha3engine -
Demos: data push and HA/SQL search demos in OpenSearch docs
-
Source list:
references/sources.md
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…