ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RAGLite - Local Expandable Library AI Library

v1.0.0

Local-first RAG cache: distill docs into structured Markdown, then index/query with Chroma + hybrid search (vector + keyword).

0· 1.5k·0 current·2 all-time
byViraj Sanghvi@virajsanghvi1·duplicate of @virajsanghvi1/raglite
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the scripts and SKILL.md: python3/pip are reasonable prerequisites and the scripts install and run a raglite CLI that condenses, indexes, and queries docs. The SKILL.md asks for ripgrep and a local Chroma endpoint as optional prerequisites which aligns with the hybrid search claim.
!
Instruction Scope
The runtime wrapper (scripts/raglite.sh) injects '--engine openclaw' when the user doesn't specify an engine, which forces the library to use the OpenClaw engine by default. SKILL.md states OpenClaw Gateway /v1/responses must be reachable and that OPENCLAW_GATEWAY_TOKEN may be required — but the skill does not declare that env var. This means documents you process could be sent to an external gateway or cause outbound network activity without an explicit opt-in from the user.
Install Mechanism
Installation uses pip to install directly from GitHub (git+https://github.com/VirajSanghvi1/raglite.git@main). Installing from a GitHub main branch runs code from an evolving source (moderate risk). It is better to pin a release/tag or audit the upstream repository before installing.
!
Credentials
The skill declares no required env vars, but SKILL.md references OPENCLAW_GATEWAY_TOKEN and requires a reachable OpenClaw gateway when the default engine is used. The skill may read that token from the environment if present (not declared), which is disproportionate to a purely local RAG cache and could leak data if the gateway is remote/untrusted.
Persistence & Privilege
always is false and the skill installs into a skill-local virtualenv; it does not request system-wide changes or modify other skills' configs. No elevated persistence is requested.
What to consider before installing
This skill looks like a legitimate local RAG tool, but take precautions before installing/using it: - Be aware the wrapper will default to engine 'openclaw' unless you pass --engine explicitly; that can cause documents to be sent to an OpenClaw gateway. Always pass --engine <local|ollama|etc.> if you want to avoid outbound network usage. - The install script pip-installs from github:@main. Review the upstream repository (or request a pinned release/tag) before running install.sh and prefer installing in an isolated environment (container or VM). - If you have an OPENCLAW_GATEWAY_TOKEN in your environment, the installed library may use it even though the skill did not declare it. Remove or unset tokens you don't want used, or explicitly set a safe engine. - Ensure your Chroma server is local (chroma-url default is http://127.0.0.1:8100) and that ripgrep is installed if you need keyword search. - If you need higher assurance: clone and inspect the raglite repo code (or ask the author for a signed/pinned release) and run installs in a sandbox before trusting it with sensitive documents.

Like a lobster shell, security has layers — review code before you run it.

latestvk972aqz1vq9cz0z4ncfx317k4980kfyf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
OSmacOS · Linux
Binspython3, pip

Comments