ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TurboQuant Memory

v2.0.0

Compress and accelerate vector search in memory/RAG systems using TurboQuant (ICLR 2026) — near-optimal vector quantization with 5-8x compression and 98%+ se...

0· 114·0 current·0 all-time
bySunnyZhou@sunnyztj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the scripts all align: this is a local numpy-based implementation of a vector quantizer that detects SQLite embedding tables, quantizes embeddings, and writes results to a new 'quantized_embeddings' table. The required capabilities (none) are proportionate to the stated purpose.
!
Instruction Scope
The runtime instructions and scripts will scan arbitrary SQLite databases (auto-detect tables), read embeddings and text columns, and create/insert into a quantized_embeddings table using INSERT OR REPLACE. This is expected for a migration/quantize tool, but it means the skill will modify user databases. Also, SKILL.md and references disallow SRHT (lossy SRHT) while some code and imports reference SRHTRotate/SRHT — there is an inconsistency between the written docs and code which could cause unexpected behavior or indicate the code and docs are out of sync.
Install Mechanism
There is no install spec (instruction-only with bundled scripts). No network downloads, no external package installs beyond numpy — low install risk.
Credentials
The skill requests no environment variables or credentials. That is proportionate. However, the scripts require read/write access to whatever SQLite DB path you point them at; they will create/modify tables and can overwrite entries (INSERT OR REPLACE).
Persistence & Privilege
The skill is not always:true and does not ask for persistent system privileges. It will persist data into the target SQLite DB (creates quantized_embeddings and writes records). That behavior is expected but impactful — backups are recommended before running migrations.
What to consider before installing
This skill mostly does what it says: local numpy-based quantization and migration of embeddings into a new SQLite table. Before running it on important data: (1) Back up any database you pass to migrate — the script creates a quantized_embeddings table and uses INSERT OR REPLACE which can overwrite rows. (2) Review the code locally: there are inconsistencies (SKILL.md/refs say blockwise Hadamard and warn against SRHT, but some modules/imports mention SRHTRotate or SRHT; some functions use type names like List/Dict without importing typing) — these may cause runtime errors or indicate the docs and code are out-of-sync. (3) Run the bundled tests (python3 scripts/turboquant.py) and validate on a small copy of your data (python3 scripts/validate.py --db /path/to/copy.db --auto-detect) to confirm behavior and metrics. (4) Prefer running migrate on a copied DB or staging environment. If you are not comfortable auditing Python code yourself, ask the author for clarification about the SRHT vs blockwise Hadamard mismatch and for guarantees about non-destructive migration and deterministic seeds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97af7vp0y2nd7p9c4h18ys3rs83pwtb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments