← Back to Skills Marketplace
tianmaomao

anythingllm-rag

by Scott Tian · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
210
Downloads
1
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install anythingllm-rag
Description
Query local documents via AnythingLLM RAG (Retrieval-Augmented Generation). Use when the user asks about their private/local documents, PDFs, uploaded files,...
README (SKILL.md)

AnythingLLM RAG Skill

Query local/private documents through AnythingLLM's RAG API.

Configuration

Environment variables (set in TOOLS.md or shell):

  • ANYTHINGLLM_URL — default http://localhost:3001
  • ANYTHINGLLM_API_KEY — API token
  • ANYTHINGLLM_WORKSPACE — default workspace slug

Script location: scripts/anythingllm.sh

When to Use

Use AnythingLLM RAG when:

  • User asks about their local/private documents
  • User wants to search uploaded PDFs, DOCX, TXT files
  • User asks "what does X document say about Y"
  • User wants to upload documents to the knowledge base

Use default model when:

  • General knowledge questions
  • Questions not related to local documents
  • Coding, writing, analysis without document context

Commands

Query documents (RAG)

bash scripts/anythingllm.sh query "你的问题"

Upload a file

bash scripts/anythingllm.sh upload /path/to/file.pdf

Upload raw text

bash scripts/anythingllm.sh upload-text "文本内容" "文档标题"

List documents

bash scripts/anythingllm.sh list-docs

Check API health

bash scripts/anythingllm.sh health

Response Format

Query returns JSON with:

  • textResponse — the RAG-generated answer
  • sources — array of source documents used for context

Present the answer to the user, citing relevant sources when available.

Notes

  • Scripts are in the skill's scripts/ directory — use paths relative to skill location
  • API key and workspace are pre-configured
  • For PDF/DOCX queries, documents must be uploaded first
Usage Guidance
This skill does what it says (query/upload local documents), but it ships with a hard-coded API key and will send any specified local file to the configured server. Before installing/use: 1) Do not use the embedded API key — supply your own via environment variables or remove the default from the script. 2) Confirm ANYTHINGLLM_URL points to a server you control (localhost or a trusted host). 3) Restrict the agent so uploads require explicit user approval (avoid autonomous invocation for file uploads). 4) Review and test the upload command in a sandbox with non-sensitive files first. 5) If you already used the embedded key, assume it may be compromised and rotate/disable it on the server. If you want lower risk, prefer a version that requires explicit per-file confirmation or that exposes only read/query operations (no arbitrary file upload).
Capability Analysis
Type: OpenClaw Skill Name: anythingllm-rag Version: 1.0.0 The script `scripts/anythingllm.sh` contains a critical shell injection vulnerability because it uses `eval` to execute a constructed curl command containing unsanitized user input (e.g., in the `api_call` and `upload_text` functions). Additionally, the script contains a hardcoded API key and workspace ID. While these appear to be severe security vulnerabilities rather than intentional malware, they allow for arbitrary command execution if the agent processes crafted input.
Capability Assessment
Purpose & Capability
The skill's name/description (RAG over local documents) matches the provided commands (query, upload, list). However, the script embeds a default API key and workspace ID rather than requiring the operator to provide credentials via environment variables as the SKILL.md implies. Shipping a default credential in code is disproportionate and unexpected for this purpose.
Instruction Scope
SKILL.md directs the agent to run scripts that can upload arbitrary files (upload <file>) and raw text to a remote API. Uploading local files is consistent with the stated purpose, but the instructions allow sending any filesystem path (including sensitive files) with no additional safeguards, prompting a high risk of accidental exfiltration.
Install Mechanism
No install spec — instruction-only with a bundled script. That reduces risk from arbitrary installers or remote downloads. The primary risk comes from executing the included script, not from an installation mechanism.
Credentials
SKILL.md documents environment variables ANYTHINGLLM_URL, ANYTHINGLLM_API_KEY, and ANYTHINGLLM_WORKSPACE, but the registry lists none. The script sets defaults and includes a hard-coded API key (ANYTHINGLLM_API_KEY default = 'JYF2P4K-SQ6MKA3-NGW734W-6CVY672') and a default workspace ID — storing credentials in source is disproportionate and unexpected, and may point to misuse or a shared/third-party backend.
Persistence & Privilege
The skill does not request always:true and has no special system privileges. However, because skills can be invoked autonomously by the agent, an enabled skill that can read local paths and upload files increases the blast radius — especially combined with the embedded API key and upload endpoints. That combination warrants caution.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install anythingllm-rag
  3. After installation, invoke the skill by name or use /anythingllm-rag
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of anythingllm-rag skill. - Enables querying and searching of local/private documents through AnythingLLM's RAG API. - Supports uploading files and raw text to the user's knowledge base. - Responds to specific document-related phrases and defaults to the main model for unrelated queries. - Provides command scripts for querying, uploading, listing documents, and health checks. - Returns RAG-generated answers with cited sources.
Metadata
Slug anythingllm-rag
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is anythingllm-rag?

Query local documents via AnythingLLM RAG (Retrieval-Augmented Generation). Use when the user asks about their private/local documents, PDFs, uploaded files,... It is an AI Agent Skill for Claude Code / OpenClaw, with 210 downloads so far.

How do I install anythingllm-rag?

Run "/install anythingllm-rag" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is anythingllm-rag free?

Yes, anythingllm-rag is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does anythingllm-rag support?

anythingllm-rag is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created anythingllm-rag?

It is built and maintained by Scott Tian (@tianmaomao); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments