← Back to Skills Marketplace

Sirchmunk

Name: Sirchmunk
Author: wangxingjun778

by wangxingjun778 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

229

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sirchmunk

Description

Local file search using sirchmunk API. Use when you need to search for files or content by asking natural language questions.

Usage Guidance

This skill is a small local client that talks to a sirchmunk server on localhost; the immediate code is simple and not itself exfiltrating. However, before installing or using it you should: 1) Inspect the sirchmunk server code (the SKILL.md points to a GitHub repo) to confirm how it reads files and where it sends content. 2) Be cautious about providing an LLM_API_KEY/LLM_BASE_URL: if these point to a cloud LLM, your searched file contents may be sent off-host. Prefer running a local, trusted LLM endpoint or omit sensitive directories from SIRCHMUNK_SEARCH_PATHS. 3) Keep the server bound to localhost and firewall it from external access. 4) Verify ~/.sirchmunk/.env contents and don't store global secrets there unless you trust the server implementation. 5) If unsure, run sirchmunk in an isolated environment or container and review network traffic while performing searches. These steps will reduce the risk of accidental data exfiltration.

Capability Analysis

Type: OpenClaw Skill Name: sirchmunk Version: 1.0.0 The script `scripts/sirchmunk_search.sh` contains a shell injection vulnerability because the `$QUERY` and `$PATHS` variables are interpolated directly into a double-quoted string within a `curl` command. This allows for arbitrary command execution on the host if the input contains shell metacharacters (e.g., `$(command)`). While this is a critical security flaw, it appears to be an unintentional vulnerability rather than intentional malice, as the skill's functionality aligns with its documentation and references a legitimate open-source project (ModelScope/sirchmunk).

Capability Assessment

✓ Purpose & Capability

Name, description, SKILL.md, and the included shell wrapper (scripts/sirchmunk_search.sh) are consistent: the skill is a thin client that POSTs a search query to a local sirchmunk server (http://localhost:8584/api/v1/search). The prerequisites (pip install sirchmunk, sirchmunk init, sirchmunk serve) match the stated purpose.

ℹ Instruction Scope

The SKILL.md and script themselves only send queries to a localhost endpoint and do not directly read or transmit arbitrary local files. However, the instructions require configuring ~/.sirchmunk/.env with LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL_NAME and running the sirchmunk server — that server is likely responsible for reading configured search paths and contacting the external LLM. Because the skill delegates file access/networking to the server, the actual data flow depends on the server's behavior (not included here).

✓ Install Mechanism

There is no install spec in the registry (instruction-only skill). The SKILL.md suggests installing sirchmunk via pip, which is expected for a Python-based local server; the included script is a simple curl wrapper with no obfuscated or high-risk install actions.

⚠ Credentials

The registry declares no required environment variables, but SKILL.md instructs the user to create ~/.sirchmunk/.env with LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL_NAME (sensitive credentials). This mismatch (required secrets present in docs but not declared) is a red flag: the local server may transmit file contents to whichever LLM endpoint is configured, so providing those keys can enable exfiltration of searched content to external services.

✓ Persistence & Privilege

The skill is not always-on, does not request special platform privileges, and the provided script does not modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sirchmunk
After installation, invoke the skill by name or use /sirchmunk
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Sirchmunk 1.0.0 - Initial release providing a simple, LLM-powered local file search using the sirchmunk API. - Supports natural language queries with no need for embedding-db, indexing, or ETL. - Requires prior installation and configuration of Sirchmunk and an LLM API key. - Example command and API usage provided for easy integration. - Paths for searches must be pre-configured or passed as parameters.

Metadata

Slug sirchmunk

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Sirchmunk?

Local file search using sirchmunk API. Use when you need to search for files or content by asking natural language questions. It is an AI Agent Skill for Claude Code / OpenClaw, with 229 downloads so far.

How do I install Sirchmunk?

Run "/install sirchmunk" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sirchmunk free?

Yes, Sirchmunk is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Sirchmunk support?

Sirchmunk is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sirchmunk?

It is built and maintained by wangxingjun778 (@wangxingjun778); the current version is v1.0.0.

More Skills