Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Knowledge Chat
v1.0.2Knowledge Chat 知识库对话助手 - 支持连接外部知识库、语义搜索、上下文对话、图片/附件理解。具备思考进度提示、Markdown渲染、后续建议、向量索引构建等功能。
⭐ 0· 97·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files and SKILL.md implement a knowledge-base chat, semantic search, multimodal uploads, and RAG-style behavior as described. However the registry metadata declares no required environment variables or primary credential while the documentation and code clearly expect a DASHSCOPE_API_KEY / API key for an external AI service, which is an inconsistency that should have been declared.
Instruction Scope
Runtime instructions are focused on deploying a Next.js app and setting DASHSCOPE_API_KEY, and the code shows expected behavior (POSTs to knowledge/chat/search endpoints, file reading for search, base64-encoding images for multimodal requests). The instructions do not ask the agent to read unrelated system files or secrets, but the connector will read files you point it at and will upload file contents/images to the target API—this is expected for the feature but materially affects data exposure.
Install Mechanism
There is no install spec in the registry (instruction-only). The included setup.sh only installs common npm packages (react-markdown, remark-gfm) and checks for Node.js; there are no downloads from obscure URLs or archive extraction operations in the package that would write arbitrary code to disk beyond typical dependency installs.
Credentials
The SKILL.md and Python scripts require an API key (DASHSCOPE_API_KEY / api_key) to call an external Dashscope endpoint. That credential is appropriate for the described functionality, but the registry metadata fails to declare it. The scripts also accept an arbitrary base_url—if a user configures that to a malicious endpoint, documents/images uploaded will be sent there. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It appears to run as a normal, user-invoked skill without elevated or persistent platform privileges.
What to consider before installing
Key things to consider before installing or running this skill:
- The SKILL.md and scripts require an API key (DASHSCOPE_API_KEY) though the registry metadata did not declare it — treat that as a metadata omission and expect to supply a key.
- The connector will send uploaded files, images (base64), and any local files you point it at to the configured external endpoint (default: dashscope.aliyuncs.com). Do not upload sensitive or confidential documents unless you trust and have reviewed the target service and its data handling policy.
- The connector accepts a configurable base_url; ensure you set it only to trusted endpoints. A malicious base_url would receive whatever content the skill sends.
- Review the included scripts (scripts/kb_connector.py and references/kb_connector.py) yourself before running; they are short and readable. If you must run, do so in an isolated/test environment first.
- Be cautious running scripts/setup.sh directly: it runs npm install and only warns about the DASHSCOPE_API_KEY. Confirm package.json/dependencies in your deployment context and consider running in a container.
- If you plan to deploy in production, restrict the API key scope, rotate keys, and verify the vendor (Dashscope/Aliyun endpoint) and privacy terms. Also ask the skill author/owner to update registry metadata to list required env vars and the homepage/source for accountability.Like a lobster shell, security has layers — review code before you run it.
latestvk974n53ehjwm7zg7ywq9m6517984r3tj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.