ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voyage AI CLI

v1.4.0

Voyage AI embedding and reranking CLI integrated with MongoDB Atlas Vector Search. Use for: generating text embeddings, reranking search results, storing embeddings in Atlas, performing vector similarity search, creating vector search indexes, listing available models, comparing text similarity, bulk ingestion, interactive demos, and learning about AI concepts. Triggers: embed text, generate embeddings, vector search, rerank documents, voyage ai, semantic search, similarity search, store embeddings, atlas vector search, embedding models, cosine similarity, bulk ingest, explain embeddings.

0· 1.8k·1 current·1 all-time
byMichael Lynn@mrlynn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, required binary ('vai'), and VOYAGE_API_KEY align with a CLI that calls Voyage AI and Atlas APIs. Minor mismatch: the SKILL.md documents use of MONGODB_URI (for storing/searching) but that env var is not declared in the skill's requires.env; otherwise required pieces make sense for the stated purpose.
Instruction Scope
SKILL.md is an instruction-only wrapper that tells the agent to run the 'vai' CLI with commands for embedding, indexing, search, reranking, config management, completions, and ingestion. These steps stay within the stated domain. The instructions do include writing shell completion files (~/.bashrc, ~/.zsh/completions) and using 'vai config' to persist an API key in the user's config — expected for a CLI but worth noting. No instructions attempt to access unrelated files or external endpoints beyond the Voyage/MongoDB services documented.
Install Mechanism
Install uses npm (package: voyageai-cli, global installation). npm is an expected distribution channel for a Node.js CLI. This is moderate-risk relative to a curated package store but is proportionate and consistent with the skill's purpose; there are no ad-hoc download URLs or archive extractions in the spec.
!
Credentials
The skill declares VOYAGE_API_KEY as required (appropriate). However, SKILL.md refers to MONGODB_URI for store/search/index operations but MONGODB_URI is not listed in requires.env. The absence of an explicit primaryEnv (VOYAGE_API_KEY could reasonably be primary) and the undocumented optional env variable is a documentation/integration inconsistency the user should be aware of before installing.
Persistence & Privilege
always:false (default) and disable-model-invocation:false — normal. The CLI supports persistent config (vai config set api-key) which will store the API key locally in the user's config; that is expected behavior for a CLI but users should be aware it persists credentials to disk. The skill does not request system-wide or other skills' settings.
Assessment
This skill is a coherent CLI wrapper for Voyage AI + MongoDB Atlas Vector Search, but check a few things before installing: 1) The package installs globally via npm — verify the 'voyageai-cli' package and its maintainer (npm listing and GitHub repo) so you trust what code will be run on your machine. 2) You must provide VOYAGE_API_KEY; the SKILL.md also references MONGODB_URI for DB operations but that env var is not declared — only set MONGODB_URI when you intend to allow the CLI to connect to your Atlas cluster. 3) The CLI can persist an API key via 'vai config', which writes to your home directory; prefer least-privilege API keys and consider using ephemeral or scoped credentials. 4) The README instructs adding shell completion to ~/.bashrc or zsh completion directories — these modify your shell config. 5) If you need higher assurance, inspect the npm package code (postinstall scripts, config storage location) or run the CLI in an isolated environment (container or separate account) before giving it production credentials.

Like a lobster shell, security has layers — review code before you run it.

clivk9745ze7bze7f747bpz3298k5s80fk34databasevk9745ze7bze7f747bpz3298k5s80fk34latestvk9745ze7bze7f747bpz3298k5s80fk34llmvk9745ze7bze7f747bpz3298k5s80fk34mongodbvk9745ze7bze7f747bpz3298k5s80fk34rerankingvk9745ze7bze7f747bpz3298k5s80fk34stablevk9745ze7bze7f747bpz3298k5s80fk34vectorsearchvk9745ze7bze7f747bpz3298k5s80fk34voyageaivk9745ze7bze7f747bpz3298k5s80fk34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧭 Clawdis
Binsvai
EnvVOYAGE_API_KEY

Comments