Vector DB Toolkit
PassAudited by ClawScan on May 7, 2026.
Overview
This skill appears to be a legitimate vector database toolkit, but it can modify or delete vector data, use optional API keys, and persist embeddings locally.
This skill is reasonable for vector database and RAG work. Before installing or using it, be careful with delete operations, only enable OpenAI embeddings when sending the text externally is acceptable, and manage local Chroma storage if vectors or metadata contain private information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken delete call could remove a full vector collection rather than just individual records.
The delete method can delete an entire Qdrant collection when no ids are provided. This is a normal vector database administration capability, but it is destructive if invoked with the wrong collection.
else:
self.client.delete_collection(collection_name=collection)Use delete operations only with explicit user intent, verify the collection name, and prefer passing specific ids unless the user clearly wants to remove the whole collection.
If OpenAI mode is used, the user's text is sent to OpenAI under the configured API key.
The optional OpenAI embedding provider reads an API key from the environment and sends the provided texts to OpenAI. This is purpose-aligned for embedding generation, but it uses account credentials and external processing.
api_key = os.environ.get("OPENAI_API_KEY")
...
requests.post(
"https://api.openai.com/v1/embeddings",
headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
json={"model": self.model_name or "text-embedding-ada-002", "input": texts},Use only an intended API key, avoid sending sensitive text unless appropriate, and document OPENAI_API_KEY as an optional credential.
Embeddings and payload metadata may remain on the local machine and be reused in later retrieval tasks.
The Chroma backend persists vector data and metadata to disk by default. Persistent vector stores can retain sensitive payload metadata or later influence retrieval results.
self.client = chromadb.PersistentClient(path=path or "/tmp/chroma")
Choose a deliberate storage path, avoid storing sensitive payloads unnecessarily, validate data inserted into collections, and clean up local stores when no longer needed.
Installing later dependency versions could change runtime behavior or introduce dependency-level vulnerabilities.
The dependency list uses lower-bound version ranges rather than pinned versions or a lockfile. The packages are expected for this toolkit, but future dependency versions may differ from what was reviewed.
qdrant-client>=1.7.0 chromadb>=0.4.18 numpy>=1.24.0 requests>=2.31.0 sentence-transformers>=2.2.2
Install from trusted package sources and consider pinning exact versions or using a lockfile in production.