ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HK-101 Living RAG

Provides answers by retrieving and synthesizing information from local text or markdown files using a retrieval-augmented generation approach.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 797 · 2 current installs · 2 all-time installs
byMetatronScoob_369@Metatronsdoob369
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes a local RAG over markdown/text — that purpose aligns with needing an API key to call models and access to a docsPath. However the registry metadata lists no required env vars while the runtime instructions explicitly say 'Requires: OPENAI_API_KEY in env', which is an internal inconsistency.
Instruction Scope
Instructions are short and focused: take a query, look in docsPath (default ./docs), return top-k matches and a synthesized answer. This stays within the stated purpose, but it authorizes reading arbitrary files under the docsPath without guidance or safeguards — that can expose sensitive local content if the docsPath is broad or mis-set.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal install risk (nothing is downloaded or written to disk by the skill itself).
Credentials
The skill only needs an OPENAI_API_KEY (reasonable for RAG). But the manifest metadata does not declare this env var while SKILL.md does, creating an unexpected credential requirement that should be corrected/confirmed.
Persistence & Privilege
Skill does not request always:true and is user-invocable with normal autonomous invocation allowed — no elevated persistence or cross-skill config access is requested.
What to consider before installing
This skill appears to implement a straightforward local RAG, which legitimately needs an OpenAI API key and access to a docs folder. Before installing: (1) confirm the registry metadata is updated to list OPENAI_API_KEY (the SKILL.md requires it but the manifest does not), (2) decide and restrict which docsPath will be used (avoid pointing it at broad/system folders to prevent accidental exposure of secrets), and (3) if you will supply an OPENAI_API_KEY, consider scoping or using a key with limited quota/permissions. If you need stronger assurance, ask the publisher for a full description and example run, and for explicit limits on which filesystem paths the skill will read.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973myxassy7140pdehgf4y4z1810trx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

claw-rag

Simple RAG over local text/markdown.

Inputs

  • query (string): question to answer.
  • docsPath (string, optional): folder of docs (default ./docs relative to CWD).
  • k (number, optional): number of top matches (default 3).

Output

  • answer: synthesized answer from matches.
  • matches: [{path, score, snippet}...]

Requires: OPENAI_API_KEY in env.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…