原子化RAG知识库构建器

This skill largely implements a reasonable PDF→RAG pipeline, but several red flags mean you should be careful before installing or running it: - Check package.json: it contains an apparent GitHub token embedded in the repository URL. Treat that as a leaked secret — do not reuse it, and avoid trusting it. If you plan to use this code, remove/rotate the token and confirm it is not active. - Expect to provide external credentials at runtime: OpenAI (or another embedding provider) API key, and any vector DB credentials (Chroma/Milvus/Pinecone). The skill does not declare these, but the code will call embedding/vector services. - System binaries are required but not declared: OCR (pytesseract) usually needs Tesseract installed on the host; pdf2image and pdf processing may need poppler. Install these in a controlled environment before running. - Run in an isolated environment first (sandbox/VM/container) and inspect network activity: the code will perform network calls to embedding providers and possibly vector DBs. Monitor outbound connections and avoid processing sensitive documents until you confirm where data is sent. - Review and test with non-sensitive PDFs: verify which external endpoints are contacted and what metadata/contents are transmitted (embeddings are generated by sending text to an embedding API). - If you will use this for medical content, be aware this code extracts diagnostic/treatment steps — ensure compliance with applicable regulations and have domain experts validate outputs. Given the evidence (missing declared env vars, system deps, and an embedded token), treat this skill as suspicious until you fix/confirm the issues above. If you want, I can point to the exact lines/files where environment-dependent calls are made and suggest specific mitigations (e.g., declare required env vars, remove tokens, add installation notes for system binaries).