Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Qdrant Advanced
v1.0.0Advanced Qdrant vector database operations for AI agents. Semantic search, contextual document ingestion with chunking, collection management, snapshots, and...
⭐ 0· 635·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the delivered artifacts: the repository includes search, ingest, manage, backup, and migrate scripts that call Qdrant and generate embeddings with OpenAI. Required binaries (curl, python3, bash) and an OpenAI API key are appropriate for these tasks.
Instruction Scope
The scripts will transmit user content and query text to OpenAI's embeddings API (https://api.openai.com/v1/embeddings) — this is expected for embedding generation but is effectively external data transmission. Qdrant calls use plain HTTP (QDRANT_URL="http://..."), so if you point the scripts to a remote Qdrant host traffic (including payloads) may be unencrypted. The SKILL.md and examples instruct you to export OPENAI_API_KEY and run the scripts, which is consistent with their behaviour.
Install Mechanism
No install spec; the skill is instruction+script based and does not download or extract external code at install time. The payload is a set of local shell/python scripts (no remote installs), which reduces supply-chain risk.
Credentials
OPENAI_API_KEY is required and used for embeddings (consistent with ingest/search/re-embedding). QDRANT_HOST and QDRANT_PORT are used and sensible. SKILL.md mentions an optional QDRANT_API_KEY but none of the scripts actually read or use QDRANT_API_KEY for Authorization — a mismatch you should be aware of (if your Qdrant requires auth the scripts will fail or leak data). The skill declares QDRANT_HOST/QDRANT_PORT/OPENAI_API_KEY as required in metadata even though the docs show defaults for host/port; this is a minor inconsistency.
Persistence & Privilege
always is false and the skill does not attempt to modify other skill configs or persist itself. It performs normal CRUD operations against the Qdrant server and local uploads; no privileged or persistent platform-level operations are requested.
Assessment
This skill provides local shell scripts that will (a) send document text and queries to OpenAI to generate embeddings, and (b) send data to your Qdrant host. Before installing or running: 1) Be aware that any files you ingest will be transmitted to OpenAI — do not ingest sensitive or regulated data unless you have reviewed your policy and the OpenAI terms. 2) If your Qdrant is remote, note the scripts use HTTP (not HTTPS) by default; consider running Qdrant locally or modifying scripts to use HTTPS and to include an Authorization header. 3) The SKILL.md mentions QDRANT_API_KEY but the scripts do not use it — if your Qdrant requires authentication you will need to add authorization headers to curl calls. 4) There are small code issues (e.g., a typo in manage.sh optimizer call) and typical shell-quoting fragility — review and test the scripts in an isolated environment before running on production data. 5) Limit the OpenAI key's scope and monitor usage/quotas if possible (rotate or use an organization key with usage limits) to reduce blast radius.Like a lobster shell, security has layers — review code before you run it.
embeddingsvk97c6973sbdywnw6gs21ffhz4181d1qjlatestvk97c6973sbdywnw6gs21ffhz4181d1qjqdrantvk97c6973sbdywnw6gs21ffhz4181d1qjsemantic-searchvk97c6973sbdywnw6gs21ffhz4181d1qjvector-databasevk97c6973sbdywnw6gs21ffhz4181d1qj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl, python3, bash
EnvQDRANT_HOST, QDRANT_PORT, OPENAI_API_KEY