Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Byted Bytehouse Hybrid Search
v1.0.0ByteHouse 混合检索 Skill,支持全文检索 + 向量检索,结合 RRF 重排算法实现更精准的检索结果。当用户需要在ByteHouse数据库中进行全文检索 + 向量检索,结合 RRF 重排算法实现更精准的检索结果时,使用此Skill。
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (ByteHouse hybrid search with RRF) matches the code and SKILL.md: the code implements full-text + vector search, embedding generation, and RRF re-ranking. However the registry metadata lists no required environment variables or primary credential while the code and SKILL.md clearly require ByteHouse connection info and an Ark/OpenAI API key — this is an internal inconsistency.
Instruction Scope
SKILL.md instructs installing clickhouse-connect and volcengine SDK and to set environment variables for BYTEHOUSE_* and ARK_API_KEY. The runtime code enforces these (it raises ValueError if BYTEHOUSE_HOST/BYTEHOUSE_PASSWORD or ARK_API_KEY are missing), generates embeddings, and executes SQL (CREATE TABLE, INSERT, queries) against the target ByteHouse instance. The instructions do not request or read any unrelated system files, but they do prompt the agent to collect and use secrets (DB password and API key).
Install Mechanism
This is instruction-only with no install spec; there is no packaged install step that would download arbitrary artifacts. SKILL.md recommends pip install of clickhouse-connect, volcengine-python-sdk[ark], numpy, scipy. No extracted downloads or obscure URLs are used.
Credentials
The registry claims no required env vars, but the code requires BYTEHOUSE_HOST, BYTEHOUSE_PASSWORD (and ARK_API_KEY) and will fail without them. That mismatch is meaningful: sensitive credentials are necessary for the skill to function but are not declared in metadata/primary credential fields. Also SKILL.md and code disagree on embedding model name and default dimension, and SKILL.md's pip install list does not include the openai package that the code uses.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and does not modify other skills or system-wide settings. It opens network connections to ByteHouse and the configured embedding API (Ark via OpenAI-compatible client), which is expected for its purpose.
What to consider before installing
This skill appears to implement the advertised hybrid search, but the package metadata and README disagree with the code about what it needs. Before installing or running it:
- Treat it as requiring sensitive credentials: you must provide BYTEHOUSE_HOST and BYTEHOUSE_PASSWORD (ByteHouse DB access) and ARK_API_KEY (embedding API). Don't assume the registry declared these. Use least-privilege credentials and a test account.
- Note the discrepant defaults: SKILL.md suggests an embedding model and dimension (doubao-embedding-vision-251215 / 1536) but embedding.py sets a different default model and dimensions (doubao-embedding-text-240715 / 2560). Verify you want the model/dimension used by the code.
- SKILL.md's pip instructions omit the openai package that embedding.py imports; ensure your environment installs the openai client (or adapt the code to the volcengine SDK) to avoid runtime surprises.
- Run in an isolated environment (container/vm) and review network traffic if you need to be sure where data is sent; the code contacts the configured ARK_BASE_URL and the ByteHouse host only.
- If you don't trust the source, ask the publisher to correct the registry metadata (declare required env vars and primary credential) and to align SKILL.md with the code. If anything else looks unexpected after that, reconsider installation.Like a lobster shell, security has layers — review code before you run it.
latestvk97d217b0d411gccqp4qhtmy6183mm60
License
MIT-0
Free to use, modify, and redistribute. No attribution required.