ClawHub

volcengine-tos-vectors-skills

v1.0.2

Manage vector storage and similarity search using TOS Vectors service. Use when working with embeddings, semantic search, RAG systems, recommendation engines, or when the user mentions vector databases, similarity search, or TOS Vectors operations.

3· 2k·0 current·0 all-time
by@jneless
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, README, WORKFLOWS.md, and the three scripts consistently implement vector-bucket, index, insert, and query operations for a TOS Vectors service. The code and documentation align with the stated purpose.
Instruction Scope
SKILL.md and the scripts explicitly instruct the agent to read environment variables for credentials, create buckets/indexes, insert/query/delete vectors, and call the TOS endpoint. Those instructions stay within the stated purpose and do not reference unrelated system files or exotic endpoints. However, the instructions rely on environment variables and a Python SDK that are not declared in the registry metadata.
Install Mechanism
There is no install spec in the registry (instruction-only), which reduces install-time risk. But the README and SKILL.md require the `tos` Python SDK (specific beta version mentioned). The absence of an install spec means the skill assumes the runtime already has that dependency; this is a documentation/metadata gap rather than obviously malicious behavior.
!
Credentials
The scripts and SKILL.md require TOS_ACCESS_KEY, TOS_SECRET_KEY, and TOS_ACCOUNT_ID (used to initialize tos.VectorClient), but the registry metadata lists no required env vars and no primary credential. Requesting full API keys is proportionate to a cloud vector DB client, but the metadata omission is an incoherence that could mislead users and automated installers about needed secrets.
Persistence & Privilege
The skill does not request always:true, does not declare persistence or modify other skills, and does not require system-wide privileges. It only runs client operations against an external TOS endpoint when invoked.
What to consider before installing
This skill appears to be a legitimate TOS Vectors helper, but the package metadata is incomplete: the scripts and SKILL.md require three environment variables (TOS_ACCESS_KEY, TOS_SECRET_KEY, TOS_ACCOUNT_ID) and the `tos` Python SDK, yet the registry lists none. Before installing or enabling this skill: - Verify the skill source and author (owner id present but homepage/source is unknown). Prefer skills with a known homepage or repo. - Don’t supply high-privilege TOS keys unless you trust the skill and its source. Use least-privilege keys and an account dedicated to testing if possible. - Confirm the endpoint domains (https://tosvectors-cn-beijing.volces.com and https://tosvectors-cn-beijing.ivolces.com) are legitimate for your provider; if unsure, contact the provider or use an official SDK/endpoint. - If you plan to use the CLI scripts, ensure the `tos` SDK version (README suggests a beta) is appropriate and audit that package separately before pip installing. - Ask the publisher/maintainer to update registry metadata to declare required env vars and any install steps so automated tooling and users are not misled. Given the clear metadata mismatch (credentials required but not declared) the skill is suspicious—not necessarily malicious—but you should validate the origin and limit credentials before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971gmwf9a5a54qtfpr2b8pt5s80ge1s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments