Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
RAG Retriever V3
v3.0.0企业级文档检索系统,支持多模型语义嵌入、混合向量+关键词搜索、Cross-Encoder重排序与完整来源引用。
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (enterprise RAG retriever) align with the delivered code and SKILL.md. The code implements embeddings (local Xenova and optional OpenAI), BM25, RRF fusion, Cross‑Encoder reranker, citation manager and CLI as advertised. The only minor mismatch: the package metadata declares no required env vars, but the code and docs reference OPENAI_API_KEY as an optional variable used when selecting OpenAI embeddings; this is reasonable (optional) but not listed in the 'required env' manifest.
Instruction Scope
SKILL.md instructs installing dependencies and running the provided CLI and JS API — these stay within the stated retrieval/generation scope. However the skill generates full RAG prompts and exposes an option to inject a 'systemPrompt' into the generated prompt (CitationManager.generateRAGPrompt). This is expected for RAG workflows but is a surface where adversarial or untrusted documents (or provided systemPrompt values) can influence downstream model behavior (prompt‑injection risk). The SKILL.md also reads/writes local config (.rag3-config.json) and data/ directories as part of normal operation.
Install Mechanism
There is no custom install script in the registry entry (instruction-only), but SKILL.md recommends npm install which will fetch standard npm packages listed in package.json/package-lock.json (LanceDB, Xenova transformers, jieba, apache-arrow). Dependencies come from npm and are traceable; there are no arbitrary URL downloads or obscure extract steps in the provided manifest. Note: @xenova/transformers or runtime libraries may fetch model weights at runtime (network/cdn access) and native optional artifacts are present in package-lock.
Credentials
The skill does not require unrelated credentials. The only credential-like env var referenced is OPENAI_API_KEY (used optionally when provider='openai' or createEmbeddingProvider auto-detects it). That is proportionate to the described capability. It would be clearer if OPENAI_API_KEY were declared in the skill manifest as optional.
Persistence & Privilege
The skill is not flagged always:true and uses normal local data/config paths (dbPath, .rag3-config.json, data/). It does not attempt to modify other skills or system-wide agent settings. Autonomous invocation remains allowed (platform default) but that is expected for skills of this type.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and CitationManager expose a 'systemPrompt' and generate full prompts including a system-level instruction. This is expected for a RAG component that constructs prompts to send to an LLM, but it is also a potential prompt-injection surface if untrusted inputs are stored as documents or passed as systemPrompt.
Assessment
This skill appears to implement the advertised RAG functionality and is internally consistent. Before installing, consider: (1) OPENAI_API_KEY is used optionally but not listed as a required env var — only provide it if you want cloud embeddings. (2) The skill stores data and config locally (.rag3-config.json and a LanceDB data folder) — run it in a directory you control and inspect created files. (3) Xenova/transformers or other runtime libs may download model weights at runtime and can be resource‑heavy; if you have bandwidth or disk limits, test in a sandbox. (4) The RAG prompt generator accepts/embeds a systemPrompt; avoid adding untrusted documents to the corpus or passing arbitrary system prompts, because they can influence LLM outputs (prompt‑injection risk). (5) As with any third‑party code, review dependencies (package-lock.json) and run tests in an isolated environment before giving it access to sensitive data or credentials.test/run-all-tests.js:22
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
hybrid-searchvk9727j8drmqy1cmmq5hg9r7tc983xscdlatestvk9727j8drmqy1cmmq5hg9r7tc983xscdragvk9727j8drmqy1cmmq5hg9r7tc983xscdretrievalvk9727j8drmqy1cmmq5hg9r7tc983xscdsemantic-searchvk9727j8drmqy1cmmq5hg9r7tc983xscdvector-searchvk9727j8drmqy1cmmq5hg9r7tc983xscd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.