← 返回 Skills 市场
local-file-rag-basic
作者
wjreliable
· GitHub ↗
· v1.0.0
3349
总下载
1
收藏
37
当前安装
1
版本数
在 OpenClaw 中安装
/install local-file-rag-basic
功能描述
High-performance local File RAG suite (Basic Edition).
安全使用建议
Install only if you are comfortable with the skill reading, extracting, and caching files under the directory you choose. Avoid pointing rootDir at home directories, repositories with secrets, or broad business folders; preinstall and review the npm dependencies yourself where possible; and delete .storage/code-rag.db when you no longer want the index retained.
功能分析
Type: OpenClaw Skill
Name: local-file-rag-basic
Version: 1.0.0
The skill is classified as suspicious due to two primary vulnerabilities. Firstly, the `local_file_rag_search` tool's `rootDir` parameter in `script/index.js` allows an AI agent to specify arbitrary directories for scanning, enabling local file disclosure and potential data exfiltration if the agent is prompted maliciously. Secondly, the `ensureDependencies` function in `script/index.js` uses `child_process.execSync` with `shell: true` for dependency installation. While currently used with hardcoded, benign packages, this primitive is highly susceptible to shell injection if the dependency list were ever derived from untrusted input, posing a significant RCE risk. There is no evidence of intentional malicious behavior such as exfiltration to external endpoints or backdoor installation.
能力评估
Purpose & Capability
The stated local RAG/search purpose matches the main implementation: it recursively indexes supported code, text, PDF, DOCX, XLS/XLSX, and media metadata, then returns matching snippets or small file contents. No exfiltration endpoint, credential harvesting, or destructive behavior was found.
Instruction Scope
The tool accepts an arbitrary rootDir, switches to that directory, recursively indexes supported files before result filtering, and can return full contents for small matched text/code files. This is high-impact local data access without clear allowlists, confirmation, or sensitive-path controls.
Install Mechanism
On initialization, the skill detects missing document-parser packages and runs npm install --no-save through execSync with shell:true and suppressed output. The package names are hardcoded, reducing injection risk, but automatic runtime package installation is under-controlled and can execute third-party dependency code.
Credentials
Reading local files is purpose-aligned for RAG, but broad recursive scanning, Office/PDF parsing, media metadata reads, and dynamic root switching require clearer user control and privacy disclosure. The artifacts do not show external data upload behavior.
Persistence & Privilege
The skill creates .storage/code-rag.db under the selected root and stores extracted text chunks and metadata for incremental search, but the artifacts do not document retention, deletion, minimization, or protections for sensitive indexed content.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install local-file-rag-basic - 安装完成后,直接呼叫该 Skill 的名称或使用
/local-file-rag-basic触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of Local File RAG Search (Basic Edition)
- Indexes files up to 20MB with single-threaded performance
- Supports common code and document formats (JS/TS, Python, C++, Go, Markdown, PDF, DOCX, XLSX, etc.)
- Provides efficient workspace search via query, target file, and root directory parameters
- Returns structured results with skeletons, metadata, and clustered code snippets
元数据
常见问题
local-file-rag-basic 是什么?
High-performance local File RAG suite (Basic Edition). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3349 次。
如何安装 local-file-rag-basic?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install local-file-rag-basic」即可一键安装,无需额外配置。
local-file-rag-basic 是免费的吗?
是的,local-file-rag-basic 完全免费(开源免费),可自由下载、安装和使用。
local-file-rag-basic 支持哪些平台?
local-file-rag-basic 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 local-file-rag-basic?
由 wjreliable(@wjreliable)开发并维护,当前版本 v1.0.0。
推荐 Skills