ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Engineer

AI/ML engineering specialist for building intelligent features, RAG systems, LLM integrations, data pipelines, vector search, and AI-powered applications. Us...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 176 · 2 current installs · 2 all-time installs
by@Bullkis1
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI/ML engineering, RAG, vector DBs, LLM integrations) aligns with the content: examples cover embeddings, Chroma, Pinecone, Qdrant, OpenAI, local models, etc. That breadth is consistent for an "AI Engineer" reference skill. However, the skill references multiple external providers and tools (OpenAI, Pinecone, Qdrant, Weaviate, Ollama, etc.) but the metadata does not declare any required credentials or binaries — an implementation/manifest gap.
!
Instruction Scope
Runtime instructions include concrete code that reads env vars (e.g., os.environ['OPENAI_API_KEY']), calls cloud APIs, stores documents to persistent DBs, spawns sub-agents, and logs prompts/usages. While each action is expected for building RAG/agent systems, the SKILL.md gives the agent broad discretion (memory saving, sub-agent delegation) that could cause sensitive data to be stored or transmitted if used with real credentials or production data. The instructions do not limit or specify where secrets or logs go.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — minimal on-disk impact and no third-party binaries are installed by the skill itself. That lowers supply-chain risk.
!
Credentials
The SKILL.md explicitly uses environment variables (OPENAI_API_KEY in examples) and references many services that require credentials (Pinecone, Qdrant, Weaviate, Ollama, etc.), but the skill metadata lists no required env vars or a primary credential. This mismatch means the skill could prompt the agent to access secrets that aren't declared up-front, and a user might inadvertently provide high-privilege credentials when enabling the skill. Logging guidance ('Log everything — prompts, completions, latency, token usage') increases the risk that sensitive content (including secrets) will be persisted.
Persistence & Privilege
always:false and default autonomous invocation are appropriate. The skill references spawning OpenClaw sub-agents and saving memories to stores, which are normal for the domain, but there is no evidence it requests permanent platform-level privileges or modifies other skills' configs.
What to consider before installing
This is an instruction-only reference for building RAG/agent systems and appears coherent in purpose, but metadata omits environment variables and credential requirements shown in the examples (e.g., OPENAI_API_KEY). Before installing or running with real data or real credentials: (1) treat the skill as documentation/examples only — it contains code that will read env vars and call external APIs; (2) do not provide high-privilege or production credentials until you confirm which specific keys the skill will use; (3) run any code snippets in an isolated/sandbox environment and review logging/storage targets (memory_store, persistent DB paths) to avoid accidental data retention; (4) ask the publisher or maintainer to declare required env vars and scopes, and to limit instructions that persist user data; (5) consider limiting or auditing sub-agent delegation and automatic memory persistence when testing. The absence of scan findings is not evidence of safety — the main issue is the manifest/instruction mismatch and potential for sensitive data to be logged or stored.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97eq6w8r1ktvyn5ggm0e0waad82jx96

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AI Engineer

Build practical AI systems that work in production. Data-driven, systematic, performance-focused.

Core Capabilities

  • LLM Integration: OpenAI, Anthropic, local models (Ollama, llama.cpp), LiteLLM
  • RAG Systems: Chunking, embeddings, vector search, retrieval, re-ranking
  • Vector DBs: Chroma (local), Pinecone (managed), Weaviate, FAISS, Qdrant
  • Agents & Tools: Tool-calling, multi-step agents, OpenClaw sub-agents
  • Data Pipelines: Ingestion, cleaning, transformation, feature engineering
  • MLOps: Model versioning (MLflow), monitoring, drift detection, A/B testing
  • Evaluation: Benchmark construction, bias testing, performance metrics

Decision Framework

Which LLM provider?

  • Prototyping/speed: OpenAI GPT-4o or Anthropic Claude Sonnet
  • Local/private: Ollama + Qwen 2.5 32B or Llama 3.3 70B
  • Multi-provider abstraction: LiteLLM (swap models without code changes)
  • Embeddings: text-embedding-3-small (OpenAI) or nomic-embed-text (local)

Which vector DB?

  • Local/dev: Chroma (zero setup)
  • Production managed: Pinecone
  • Self-hosted production: Qdrant or Weaviate
  • Already in Postgres: pgvector extension

RAG or fine-tuning?

  • RAG first — always try RAG before fine-tuning. 90% of cases RAG is enough.
  • Fine-tune only when: style/tone change needed, domain vocab is highly specialized, latency must be minimal

RAG Workflow

1. Ingest

# Chunk documents (rule of thumb: 512 tokens, 50 overlap)
from langchain.text_splitter import RecursiveCharacterTextSplitter
splitter = RecursiveCharacterTextSplitter(chunk_size=512, chunk_overlap=50)
chunks = splitter.split_documents(docs)

2. Embed + store

import chromadb
from chromadb.utils.embedding_functions import OpenAIEmbeddingFunction

client = chromadb.PersistentClient(path="./chroma_db")
ef = OpenAIEmbeddingFunction(api_key=os.environ["OPENAI_API_KEY"], model_name="text-embedding-3-small")
collection = client.get_or_create_collection("docs", embedding_function=ef)
collection.add(documents=[c.page_content for c in chunks], ids=[str(i) for i in range(len(chunks))])

3. Retrieve + generate

results = collection.query(query_texts=[user_query], n_results=5)
context = "\n\n".join(results["documents"][0])

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[
        {"role": "system", "content": f"Answer based on this context:\n{context}"},
        {"role": "user", "content": user_query},
    ]
)

See references/rag-patterns.md for advanced patterns: re-ranking, hybrid search, HyDE, eval.

LLM Tool Calling (Agents)

tools = [{
    "type": "function",
    "function": {
        "name": "search_docs",
        "description": "Search internal documentation",
        "parameters": {
            "type": "object",
            "properties": {"query": {"type": "string"}},
            "required": ["query"]
        }
    }
}]

response = openai.chat.completions.create(model="gpt-4o", messages=messages, tools=tools)

See references/agent-patterns.md for multi-step agent loops, error handling, tool schemas.

Critical Rules

  • Evaluate early — build an eval set before you build the system
  • RAG before fine-tuning — always
  • Log everything — prompts, completions, latency, token usage from day one
  • Test for bias — especially for user-facing classification or scoring systems
  • Never hardcode API keys — use env vars or secret managers

References

  • references/rag-patterns.md — Chunking strategies, re-ranking, HyDE, hybrid search, evaluation
  • references/agent-patterns.md — Tool calling, multi-step loops, memory, error handling

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…