← Back to Skills Marketplace

Semantic Grep

Name: Semantic Grep
Author: rizperdana

by rizperdana · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

110

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install semantic-grep

Description

Offline local semantic code search using embeddings to find and index code by meaning with llama.cpp, ONNX, or Ollama backends.

Usage Guidance

Before installing: (1) Treat the package as untrusted until you inspect its source—pip installing runs code that can do anything on your system. (2) Verify the PyPI package and GitHub repository referenced (rizperdana/semgrepll) and inspect the package contents or prefer building from source. (3) Remove or rotate any tokens you find in docs (the README includes a token-like string) and do not reuse it. (4) Consider running the install in a sandboxed environment or VM, or inspect the package with tools like 'pip download' and review the wheel/tarball. (5) Be cautious about the 'semgrep' command name collision—ensure it won't override or confuse an existing semgrep installation. If you want help, provide the actual PyPI package/source code and I can re-evaluate the install-time behavior and look for network calls or unsafe operations.

Capability Analysis

Type: OpenClaw Skill Name: semantic-grep Version: 1.0.0 The skill package 'semgrepll' shadows the command name 'semgrep', which is a widely used and well-known static analysis tool, creating a high risk of command hijacking or user confusion (seen in SKILL.md and clawhub.yaml). Additionally, the README.md includes a hardcoded installation token, and the _meta.json file contains a future-dated timestamp (2026), which are anomalous for a standard utility. While no direct evidence of data exfiltration or malicious code is present in the provided metadata, the intentional overlap with a popular security tool's namespace is a significant indicator of potential deceptive intent.

Capability Assessment

ℹ Purpose & Capability

The name/description (local semantic code search using local LLM/ONNX/Ollama backends) aligns with the instructions to run a CLI that indexes and searches projects. Optional environment variables for model paths/backends are consistent with that purpose. Minor concern: the CLI command shown is 'semgrep', which collides with the well-known 'semgrep' tool — that could cause confusion or unintended overwriting of an existing tool.

ℹ Instruction Scope

SKILL.md contains straightforward runtime instructions (index/search/list/remove) that operate on local paths, which is expected. It claims '100% offline' which is plausible but not verifiable from the instruction-only content (the listed pip package could perform network operations at install/runtime). The README includes a 'clh skill install' example containing a token-like string — this is out-of-scope for the skill's functionality and is a red flag (exposes a credential in a public file).

ℹ Install Mechanism

There is no registry install spec; the docs advise 'pip install semgrepll'. Installing an unreviewed pip package is a common but non-trivial risk because package install or imported code can execute arbitrary actions. The installers and clawhub.yaml consistently point to pip installation and a GitHub repository, which is coherent, but there is no baked-in, auditable code in the skill bundle for review (instruction-only).

⚠ Credentials

The SKILL.md lists optional environment variables (model paths, backend selection) that are proportional to running a local embedding/indexing tool. However, the README contains an apparent ClawHub token in an example command — a likely hard-coded secret that is unrelated to the skill's core behavior and should not be present in public docs. Also, no required credentials are declared in the registry metadata, which is consistent with the instructions, but the hidden token in docs is concerning.

✓ Persistence & Privilege

The skill is not marked 'always' and does not request persistent system-wide privileges in the provided files. It's instruction-only and does not declare modifications to other skills or agent-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install semantic-grep
After installation, invoke the skill by name or use /semantic-grep
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of semgrepll — local, offline semantic code search. - Index and search code projects by meaning using embeddings with commands like `semgrep index` and `semgrep search`. - Supports multiple offline backends: llama.cpp, ONNX, and Ollama. - No external API calls; works fully offline and auto-selects the fastest backend. - Embeddings are cached to speed up re-indexing. - Easy project management: list or remove indexed projects with `semgrep ls` and `semgrep rm`. - Python 3.10+ required; install with optional ONNX support.

Metadata

Slug semantic-grep

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Semantic Grep?

Offline local semantic code search using embeddings to find and index code by meaning with llama.cpp, ONNX, or Ollama backends. It is an AI Agent Skill for Claude Code / OpenClaw, with 110 downloads so far.

How do I install Semantic Grep?

Run "/install semantic-grep" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Semantic Grep free?

Yes, Semantic Grep is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Semantic Grep support?

Semantic Grep is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Semantic Grep?

It is built and maintained by rizperdana (@rizperdana); the current version is v1.0.0.

More Skills