📦 Rag Retriever — 智能检索器
v0.1.1RAG 2.0 检索系统,支持中文分词、混合向量与关键词搜索,智能文档分块与加权重排,自动生成 RAG 格式输出。
0· 98·0 当前·0 累计
by 下载技能包
最后更新
2026/3/31
安全扫描
OpenClaw
可疑
high confidenceThe skill largely matches its stated purpose (a RAG retriever) but the package and runtime include undisclosed external network calls (OpenAI embeddings) and file writes that are not declared in the registry metadata, so you should review and be cautious before installing or providing credentials.
评估建议
This skill appears to implement a legitimate RAG retriever, but exercise caution because: (1) the code will call the OpenAI Embeddings API if an OPENAI_API_KEY is available — that is not declared in the registry metadata or SKILL.md; providing a key will cause your texts to be sent to OpenAI. (2) npm install pulls heavy native deps (transformers, onnxruntime, sharp), so review resource/compatibility and run in a sandbox if possible. Before installing, either: (A) review src/embeddings.js and oth...详细分析 ▾
ℹ 用途与能力
The libraries and files (LanceDB, jieba, HuggingFace transformers, BM25 implementation) are appropriate for a RAG retriever and align with the description. The included local model/tokenizer artifacts also make sense for local embedding support. No obvious unrelated dependencies are present.
⚠ 指令范围
SKILL.md instructs npm install and running the CLI and JS APIs and documents using external embedding providers, but it does not mention that the code will call the OpenAI Embeddings API. The runtime instructions do not declare or warn about network requests or the need to supply an OpenAI API key, which the code will use if present.
ℹ 安装机制
There is no formal install spec in the registry entry, but SKILL.md/README instruct users to run 'npm install'. package.json and package-lock.json will pull many native and heavy dependencies (transformers, onnxruntime, sharp, etc.), which is expected for local transformer support but can be large and may require native build/runtime dependencies. This is expected for the skill's purpose but worth knowing.
⚠ 凭证需求
Registry metadata declares no required environment variables, but src/embeddings.js reads process.env.OPENAI_API_KEY and will POST user text to https://api.openai.com/v1/embeddings if used. That means sensitive data (documents or queries) can be sent to an external API if a key is provided — this external credential access is not declared in the skill metadata.
✓ 持久化与权限
The skill does write local caches and model/tokenizer artifacts under ./data/ (embedding cache, lancedb, model-cache). It does not request permanent 'always: true' privileges and does not attempt to modify other skills or global agent settings. Local file writes are expected for this functionality.
⚠ src/embeddings.js:16
Environment variable access combined with network send.
⚠ src/embeddings.js:4
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/31
- Updated package version to 0.1.1 in package.json. - No other functional or documentation changes in this release.
● 无害
安装命令
点击复制官方npx clawhub@latest install yuyonghao-rag-retriever
镜像加速npx clawhub@latest install yuyonghao-rag-retriever --registry https://cn.longxiaskill.com镜像同步中