ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dual Retrieval

v1.0.0

Combines M-Flow graph topology and QMD BM25+vector retrieval to merge and rank results for precise multi-hop and semantic search.

0· 88·0 current·0 all-time
bysune@sora-mury

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sora-mury/dual-retrieval.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dual Retrieval" (sora-mury/dual-retrieval) from ClawHub.
Skill page: https://clawhub.ai/sora-mury/dual-retrieval
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dual-retrieval

ClawHub CLI

Package manager switcher

npx clawhub@latest install dual-retrieval
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name and description match the code: it combines M-Flow and QMD search results and implements merging strategies. However, the skill expects local QMD artifacts and a local 'm-flow' skill directory (loaded dynamically) even though SKILL.md and registry metadata declare no config paths or credentials. The requirement to access a local QMD DB and a sibling skill directory is not declared in the metadata.
!
Instruction Scope
SKILL.md describes the high-level pipeline but does not mention reading the user's local QMD SQLite DB or writing a report to disk. The included Python code directly opens C:/Users/Administrator/.cache/qmd/index.sqlite, issues arbitrary SQL, prints sample rows, and the test writes a report to a knowledge/ directory. Those file accesses and outputs are outside what the SKILL.md explicitly documents and could expose private data.
Install Mechanism
There is no installer (instruction-only from registry perspective). That reduces supply-chain risk. However, the skill includes Python code files that will be executed when the skill is used; no network downloads or third-party package installations are declared in the install metadata.
!
Credentials
The skill requests no environment variables or credentials, yet it reads a hard-coded, absolute Windows path (C:/Users/Administrator/.cache/qmd/index.sqlite) and attempts to load a .env from a sibling m_flow directory. Access to a user's local document index (QMD DB) is equivalent to requesting access to potentially sensitive data and should have been declared as a required config path or credential. Dynamic importing of a local 'm-flow' skill directory also implies access to code and env that belong to other skills without declaration.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does write a report file in the test code (knowledge/dual-retrieval-report.md) and may create directories, but it does not modify other skills' configurations or request persistent agent-level privileges.
What to consider before installing
This skill does what it claims (combines M-Flow and QMD results) but the implementation reads a hard-coded local QMD SQLite database and dynamically loads a local 'm-flow' module without declaring those accesses. Before installing or running: - Treat this as potentially accessing private local documents (QMD DB). Do not run it in an environment with sensitive data unless you reviewed or sandboxed it. - Inspect or run the scripts in a safe, isolated environment (disposable VM or container). Confirm the C:/Users/Administrator/.cache/qmd/index.sqlite path and any data it contains. - If you expect to use it, ask the author to parameterize the DB path and m-flow location (don’t hard-code C:\Users\Administrator...), declare required config paths in metadata, and avoid printing or writing raw document content. - Verify the dynamically loaded m-flow code is from a trusted source before allowing the skill to import it. - If you cannot confirm these changes, consider the skill suspicious and avoid granting it access to your real data or environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97386pbg0pxeh0vfejt1bs6mx849d2d
88downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
sune@sora-mury
latest
Download

Dual Retrieval Skill - Phase 4

描述

双重检索:M-Flow(图拓扑检索)+ QMD(BM25+向量检索)优势互补。

M-Flow vs QMD 对比

特性M-FlowQMD
检索方式图拓扑 + Bundle SearchBM25 + 向量 + rerank
适合场景精确问答、多跳推理关键词搜索、语义相似
记忆结构四层 Cone Graph多 Collection
优势时间推理、关联推理灵活、已配置

工作流程

Query → 
  ├── M-Flow.search() → Episode + Facet + Entity
  └── QMD search → 文件 + 片段
      ↓
结果合并 → 去重 → 排序 → 返回

文件结构

dual-retrieval/
├── SKILL.md
├── scripts/
│   ├── __init__.py      # DualRetrievalPipeline
│   └── test_dual.py     # 测试

依赖

  • m-flow-memory skill (MFlowMemory)
  • QMD (qmd tools)

Comments

Loading comments...