ClawHub

ragflow-skill-python0418

v1.0.0

Use for RAGFlow dataset tasks: create, list, inspect, update, or delete datasets; upload, list, update, or delete documents; start or stop parsing; check par...

0· 18·0 current·0 all-time
bychang@liberalchang·duplicate of @redredrrred/rrragflow-skill·canonical: @caesergattuso/1234
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (RAGFlow dataset tasks) matches the bundled Python scripts and the two environment variables (RAGFLOW_API_URL, RAGFLOW_API_KEY). The required binary (python3) is appropriate. All scripts make HTTP calls to the provided base URL and require the RAGFlow API key for Authorization, which is expected for this purpose.
Instruction Scope
SKILL.md restricts the agent to use the bundled scripts in scripts/ and documents expected CLI commands and guardrails (e.g., require explicit confirmation before deletes). The scripts themselves require explicit IDs for delete operations but do not perform interactive confirmation; the SKILL.md relies on the agent to enforce interactive confirmation. This is a design/operational note (agent must follow the guardrail) rather than evidence of malicious behavior.
Install Mechanism
No install spec is provided (instruction-only / scripts bundled with the skill). There are no downloads or archive extracts. Risk from installation is minimal.
Credentials
Only RAGFLOW_API_URL and RAGFLOW_API_KEY are required; the primaryEnv is RAGFLOW_API_KEY. These variables are necessary and proportionate for an HTTP client interacting with a RAGFlow API. The code does not request unrelated secrets or filesystem config paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other privilege escalations here.
Assessment
This skill appears to do what it claims. Before installing: - Only set RAGFLOW_API_URL to a trusted RAGFlow server; the provided RAGFLOW_API_KEY will be sent as a Bearer token to that URL. Treat that key as sensitive. - Prefer creating a scoped API key with least privilege (e.g., read-only for listing/search, restricted for delete/upload) rather than using a highly privileged account. - The SKILL.md requires explicit user confirmation before deletes, but the delete scripts only accept --ids (no interactive prompt). Ensure your agent enforces confirmation before invoking delete commands. - Review any included agent config (e.g., agents/openai.yaml) before use to confirm no unexpected autonomous workflows are configured. - If you need higher assurance, run the bundled scripts manually in a controlled environment first to observe their behavior and ensure the API URL is correct.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vqp2rcbmyfxc7nbvn05tvh8527q4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvRAGFLOW_API_URL, RAGFLOW_API_KEY
Primary envRAGFLOW_API_KEY

Comments