ClawHub

Weaviate

v1.0.0

Build vector search with Weaviate using v4 syntax, proper module configuration, and production-ready patterns.

0· 705·4 current·4 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Weaviate v4 guidance) aligns with the content: schema/collection design, modules, batch operations, hybrid search, and HNSW tuning. The instructions cover expected topics for building production vector search with Weaviate.
!
Instruction Scope
SKILL.md instructs runtime use of provider API keys in client headers (e.g., headers={"X-OpenAI-Api-Key": os.environ["OPENAI_API_KEY"]}, X-Cohere-Api-Key). Those environment accesses are not declared in requires.env. The instructions also tell users how to enable modules and how to pass keys to the client, which is expected for this skill, but the skill text directly references reading environment variables the registry metadata does not list — per the evaluator rules this is scope inconsistency. There is no direct instruction to read arbitrary files, but the env-var usage grants access to secrets when the agent executes code.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes disk-write and external-install risk; nothing is downloaded or executed by the skill itself.
!
Credentials
The skill's docs require API keys for OpenAI and Cohere (and suggest headers for them) yet the registry lists no required env vars or primary credential. Asking for provider API keys is proportionate to the stated purpose, but failing to declare these credentials is a misalignment and a security/operational concern. The skill also suggests using high-privilege models (e.g., gpt-4) and enabling API-based modules; users should be cautioned to use scoped keys and quotas.
Persistence & Privilege
always:false and no install hooks; the skill does not request persistent system presence. Autonomous invocation is allowed (platform default) but not combined with other high-privilege indicators here.
What to consider before installing
This skill is a v4 Weaviate usage guide and is otherwise coherent, but it references provider API keys (OPENAI_API_KEY, X-Cohere-Api-Key) and shows examples that read os.environ — yet the registry metadata lists no required env vars. Before installing or running: 1) Treat this as documentation you will run locally, not a black-box plugin that needs your keys. 2) Do not paste full/high-privilege provider keys into the agent chat; instead create scoped API keys with limited quotas for testing. 3) Verify any code you run that calls weaviate.connect_to_*() will only receive the specific env vars you intend to share. 4) If you want the skill to manage keys, ask the publisher to update the metadata to declare required env vars (e.g., OPENAI_API_KEY, COHERE_API_KEY) so the platform can surface permissions. 5) If you prefer to avoid external providers, use the local transformer module option shown (text2vec-transformers) to keep embedding generation on-premises. If you need higher assurance, request the publisher to provide an explicit list of required credentials and a minimal example that uses least-privilege keys; until then, treat the missing env-var declarations as a red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qaq9wz8rf9p4ybm3mtmfad8190ts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔷 Clawdis
OSLinux · macOS · Windows

Comments