ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ragtop-planner

v1.0.2

面向外部 OpenClaw 的达人推广方案制定 Skill。基于 RAGTOP 三个工具接口(list_kb/list_doc/retrieval)执行四阶段工作流:规则提炼、案例总结、达人筛选、方案生成。

0· 433·1 current·1 all-time
by@qbs784
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state the skill will use RAGTOP's list_kb/list_doc/retrieval APIs; the only required credential is RAGTOP_API_TOKEN (primary) and an optional RAGTOP_API_URL. Required items align with the stated function—no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md gives detailed runtime instructions to call RAGTOP endpoints, run multi-step retrieval and LLM summarization, and return traceable citations. This stays within the planning purpose. Two practical notes: (1) the docs assume the agent can perform HTTP calls (curl examples) though no curl binary is declared; (2) the default RAGTOP_API_URL points to a private IP (http://10.71.10.71:9380), so network traffic will go to that internal host unless the user overrides it—users should confirm that host is expected and trusted.
Install Mechanism
Instruction-only skill with no install spec and no code files—nothing is downloaded or written to disk by the skill bundle itself, which is the lowest-risk install model.
Credentials
Only RAGTOP_API_TOKEN is required (primary). An optional RAGTOP_API_URL is documented. The requested environment access is proportional to a skill that must call an external RAGTOP service. No additional secret/env requests appear.
Persistence & Privilege
The skill is not forced-always, does not request persistent/privileged presence, and does not instruct modifying other skills or system-wide settings. Autonomous model invocation remains enabled (platform default) but is not a new privilege requested by the skill.
Assessment
This skill appears coherent and implements what it claims: it will call a RAGTOP service using the provided RAGTOP_API_TOKEN and optional RAGTOP_API_URL, retrieve documents, and synthesize a plan. Before installing, confirm these points: (1) Verify you intend the agent to contact the RAGTOP host—SKILL.md defaults to an internal IP (http://10.71.10.71:9380); change RAGTOP_API_URL if that is not your service. (2) Provide a token with the least privilege needed and confirm the token's tenant/scope; the token gives access to knowledge bases and document contents. (3) Understand that retrieved documents and user queries will be sent to the RAGTOP service—do not use a token that grants access to sensitive data you don't want exposed. (4) Ensure your agent environment can make outbound HTTP calls (the docs use curl) and that network routing to the default host is expected. (5) The skill uses LLM prompts to avoid hallucinations and require traceability, but you should still review generated plans and citations before acting. If you are concerned about autonomous invocation, restrict or audit when the skill can be used or require explicit user invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9724btvkxyk23mr7hzb8g66gn81zvzv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
EnvRAGTOP_API_TOKEN
Primary envRAGTOP_API_TOKEN

Comments