Vector DB Toolkit
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: vector-db-toolkit Version: 1.0.0 The vector-db-toolkit is a standard implementation of a unified interface for Qdrant, Chroma, and in-memory vector databases. The code follows best practices for its stated purpose, including legitimate use of the OpenAI API for embeddings (scripts/embedding_utils.py) and standard database operations. No indicators of malicious intent, data exfiltration, or prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken delete call could remove a full vector collection rather than just individual records.
The delete method can delete an entire Qdrant collection when no ids are provided. This is a normal vector database administration capability, but it is destructive if invoked with the wrong collection.
else:
self.client.delete_collection(collection_name=collection)Use delete operations only with explicit user intent, verify the collection name, and prefer passing specific ids unless the user clearly wants to remove the whole collection.
If OpenAI mode is used, the user's text is sent to OpenAI under the configured API key.
The optional OpenAI embedding provider reads an API key from the environment and sends the provided texts to OpenAI. This is purpose-aligned for embedding generation, but it uses account credentials and external processing.
api_key = os.environ.get("OPENAI_API_KEY")
...
requests.post(
"https://api.openai.com/v1/embeddings",
headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
json={"model": self.model_name or "text-embedding-ada-002", "input": texts},Use only an intended API key, avoid sending sensitive text unless appropriate, and document OPENAI_API_KEY as an optional credential.
Embeddings and payload metadata may remain on the local machine and be reused in later retrieval tasks.
The Chroma backend persists vector data and metadata to disk by default. Persistent vector stores can retain sensitive payload metadata or later influence retrieval results.
self.client = chromadb.PersistentClient(path=path or "/tmp/chroma")
Choose a deliberate storage path, avoid storing sensitive payloads unnecessarily, validate data inserted into collections, and clean up local stores when no longer needed.
Installing later dependency versions could change runtime behavior or introduce dependency-level vulnerabilities.
The dependency list uses lower-bound version ranges rather than pinned versions or a lockfile. The packages are expected for this toolkit, but future dependency versions may differ from what was reviewed.
qdrant-client>=1.7.0 chromadb>=0.4.18 numpy>=1.24.0 requests>=2.31.0 sentence-transformers>=2.2.2
Install from trusted package sources and consider pinning exact versions or using a lockfile in production.