Knowtrust Graph Publish
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill’s knowledge-graph behavior is mostly coherent, but its documented setup can execute and install code from an unpinned, placeholder GitHub source rather than a clearly verified package copy.
Review the installation path before using this skill. The knowledge-graph functions appear purpose-aligned, but do not run the curl-bash installer from the placeholder GitHub URL unless you have verified the repository and code. If you use the tool, check extracted facts before confirming writes and avoid storing secrets or highly sensitive documents in the local graph.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows the documented installer, the code that later runs as ~/.zhixin/kg.py may come from an unverified or changed remote source.
The installer downloads the executable helper from a mutable raw GitHub URL using a placeholder repository name, while the registry source is unknown and there is no pinned release, checksum, or install spec tying the runtime file to the reviewed artifact.
REPO="你的用户名/zhixin-graph" BASE_URL="https://raw.githubusercontent.com/$REPO/$BRANCH" curl -sL "$BASE_URL/kg.py" -o ~/.zhixin/kg.py chmod +x ~/.zhixin/kg.py
Install only from a verified repository or pinned release, avoid curl-bash from placeholder/unknown URLs, and prefer running the bundled reviewed kg.py directly or verifying hashes before use.
Information added to the graph can be reused in later searches or reasoning, so incorrect, sensitive, or private facts may persist until changed or removed.
The skill is designed to persist extracted conversation or document knowledge into a reusable graph after confirmation.
分析当前对话/文档,提取实体/关系/事实 → 预览 → 用户确认 → 批量写入
Review the extraction preview carefully, keep sensitive material out unless you intend to store it, and treat unverified/imported facts as untrusted until validated.
If semantic embedding is used, selected knowledge text may be sent to the local Ollama service; this is local but still depends on that service being trusted.
The optional embedding feature sends text to a locally running Ollama service for semantic search.
OLLAMA_URL = "http://127.0.0.1:11434"
... urllib.request.Request(f"{OLLAMA_URL}/api/embeddings", data=json.dumps(payload).encode(), method="POST"Use semantic embedding only with a trusted local Ollama setup, and avoid embedding sensitive text if other local users or services could access it.