ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

local-file-rag-basic

High-performance local File RAG suite (Basic Edition).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.4k · 30 current installs · 30 all-time installs
by@wjreliable
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (local file RAG) match the code and README: the skill walks the workspace, extracts text/metadata, chunks documents/code, indexes chunks into a local SQLite DB and performs BM25 retrieval. Required capabilities (file I/O, local DB, optional document parsers) are coherent with the stated purpose.
Instruction Scope
SKILL.md and README describe scanning the local workspace and the tool API. The implementation will recursively read many supported file types, extract and index content, and return snippets or full small files. This is expected for a RAG tool but means the skill will read project files (potentially including sensitive configs or secrets if present in files). The SKILL.md/README do mention automatic dependency handling; runtime code performs network installs (see install_mechanism).
!
Install Mechanism
There is no explicit external install spec, but the runtime code calls npm via child_process.execSync to automatically install missing dependencies (mammoth, pdf-parse, xlsx) into the skill directory using network access. This is a moderate supply-chain/network activity risk: it downloads packages at runtime (though the packages are common), runs a shell command from within the skill, and writes node_modules to disk. The package.json and package-lock are present, which helps review, but the automatic, silent npm install behavior merits caution.
Credentials
The skill requests no environment variables or external credentials. It only requires Node.js runtime and file system access to the chosen workspace, which is proportional to its stated functionality.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It creates and writes a local SQLite DB under workspaceDir/.storage and may create node_modules under the skill directory when auto-installing dependencies. These are scoped to the skill/workspace but are persistent on disk; this is expected behavior for a local indexer but users should be aware of these on-disk artifacts.
Assessment
This skill appears to do what it says: indexing and searching files in your workspace. Before installing or running it, consider: (1) It will recursively read many files in the provided workspace — do not point it at directories containing secrets you don't want indexed. (2) At runtime it may perform 'npm install' (network download) to fetch optional parsers and will write node_modules and a SQLite DB (.storage/code-rag.db) to disk — review package.json/package-lock and run in an isolated environment if you have supply-chain concerns. (3) If you need stronger isolation, run the skill in a sandboxed agent workspace or inspect/modify the code to disable auto-install and confirm which directories are scanned. If you want, I can point out the exact lines that perform the npm install and the DB/file-walk behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976ccq0b2d3wvsthfkz0ejyq981pp0p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill: Local File RAG Search (Basic Edition)

Description

This is the Basic Edition of the high-performance local RAG suite, providing efficient code and document retrieval within constraints.

  • Constraints:
    • Only indexes files under 20MB.
    • Uses single-threaded (sequential) indexing for lower resource usage.
  • Support: JS/TS, Python, C++, Go, Markdown, PDF, DOCX, XLSX, etc.

Tools

local_file_rag_search

Efficiently searches the local workspace.

Parameters:

  • query (string, required): Search terms or function names.
  • targetFile (string, optional): Specific file path to restrict the search.
  • rootDir (string, optional): Root directory to scan.

Output Protocol: Returns a structured result with Skeletons, Metadata, and Clustered Code Snippets.

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…