Graphify Source
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review recommended: this knowledge-graph skill is coherent in purpose, but it makes conflicting local-only/no-key claims while asking for API keys and broadly indexing local files through an unreviewed referenced script.
Do not assume this skill is fully local or credential-free. Before installing, verify the referenced Python script, confirm whether any project content is sent to external LLM APIs, use limited/test API keys, and run it only on directories that exclude secrets and private files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it believing their repository and documents remain fully local, while the instructions also support use of external LLM credentials for semantic processing.
The same artifact tells users data stays local and no external API is needed, then later says cloud LLM API keys are required for semantic extraction. That can mislead users about where code or documents may be processed.
“状态: ✅ 完全本地运行,无需外部 API” ... “本地运行,数据安全” ... “需要 API key:ANTHROPIC_API_KEY 或 OPENAI_API_KEY 用于语义提取”
Clarify whether semantic extraction is local-only or uses Anthropic/OpenAI/Graphify APIs, and require explicit user confirmation before sending project content to any external provider.
A user could expose billable LLM credentials to a tool whose implementation is not included in the reviewed artifacts.
The SKILL front matter says an API key is not required, but the usage section asks users to configure Anthropic, OpenAI, or Graphify API keys. This under-declares credential requirements and account authority.
“requires_api_key: false” ... “需要 API key:ANTHROPIC_API_KEY 或 OPENAI_API_KEY” ... “export GRAPHIFY_API_KEY=your-key”
Declare required credentials in metadata, document exactly which provider keys are used and for what, and recommend limited-scope keys where possible.
Private source code, documents, images, or media metadata could be summarized and stored for later reuse in graphify-out/.
The skill is designed to turn broad local project and media content into a persistent queryable graph and cache, but the artifact does not describe exclusions, retention, cleanup, or safeguards for secrets and private files.
“将代码库、文档、图片和视频转换为可查询的知识图谱” ... “所有产物位于 graphify-out/ 目录” ... “graph.json” ... “cache/”
Run only on a reviewed project copy, exclude secrets and private files, and add clear configuration for allowed paths, ignored patterns, retention, and deletion.
The user or agent may execute an unreviewed local script that can read repositories and use API keys.
The SKILL tells users to run a local Python implementation, but the supplied package contains only SKILL.md and no install spec or code file for that implementation. Its provenance and behavior cannot be reviewed from the provided artifacts.
“Python 实现位于 `~/.workbuddy/skills/graphify.py`” ... “python ~/.workbuddy/skills/graphify.py build .”
Provide the referenced Python source and install steps in the skill package, pin dependencies, and avoid asking users to run out-of-package code unless they have verified it.