← 返回 Skills 市场
759
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install oee-knowledge-base
功能描述
Semantic knowledge base allowing ingest, search, and retrieval of saved texts, URLs, and files using embeddings and SQLite.
安全使用建议
This skill appears to be a local RAG knowledge base and the code largely matches that purpose, but there are important inconsistencies you should resolve before installing or supplying API keys:
- SKILL.md says you need ANTHROPIC_API_KEY or OPENAI_API_KEY but the registry metadata lists no required env vars — assume the code will attempt to call an embeddings API. Only provide a key you trust and ideally create a dedicated, limited-scope key for this purpose.
- The code calls external binaries (yt-dlp for YouTube transcripts, pdftotext as a PDF fallback) and may rely on Python packages like PyMuPDF (fitz). These dependencies are not declared; if you run this skill, ensure those binaries/packages are installed from official sources. Running in a sandbox/container is recommended.
- The skill fetches arbitrary URLs and runs subprocesses to extract content. This is expected for an ingest tool but means it will make outbound network requests and execute local binaries. Do not point it at sensitive internal URLs or supply credentials without reviewing the code.
- The skill creates a local database (kb.db) in the skill directory and writes temporary files to /tmp; protect that file if it will contain sensitive data.
If you plan to use this skill: inspect the full kb.py (the provided snippet was truncated), confirm where it sends network requests and which env vars it reads, install required binaries from trusted sources, and consider running it in an isolated environment. If you cannot verify those points, treat the skill as potentially risky.
功能分析
Type: OpenClaw Skill
Name: oee-knowledge-base
Version: 1.0.0
The `kb.py` file contains a critical shell injection vulnerability within the `extract_pdf` function. The `subprocess.run` call, which executes a Python script via `python3 -c`, constructs the script using an f-string that directly embeds the `path` variable (derived from user-provided `url_or_path`) without proper sanitization. A malicious URL or local path containing shell metacharacters or Python string delimiters could lead to arbitrary command execution on the host system. Additionally, the skill utilizes `subprocess.run` to execute external tools like `yt-dlp` and `pdftotext`, which, while intended, expands the attack surface.
能力评估
Purpose & Capability
The skill's stated purpose (ingest/search/retrieve using embeddings + SQLite) matches the code's behavior. However, SKILL.md explicitly requires ANTHROPIC_API_KEY or OPENAI_API_KEY for embeddings, yet the registry metadata lists no required env vars/primary credential. Also the code expects external binaries (yt-dlp, pdftotext) and Python packages (fitz/PyMuPDF) that are not declared in the metadata. These omissions are incoherent and should be clarified.
Instruction Scope
Runtime instructions and code fetch arbitrary URLs, download content, extract transcripts, and run subprocesses (yt-dlp, pdftotext, a python -c fallback that imports fitz). They create a local SQLite DB (kb.db) and write temporary files under /tmp. While this is consistent with a KB ingest tool, the instructions and code do not declare or warn about these external fetches/subprocesses or which environment variables are required, and they give the agent freedom to ingest arbitrary remote content — a review and stricter scoping are recommended.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded/installed by the installer. That's lower risk, but the code invokes external binaries (yt-dlp, pdftotext) and may require Python packages (fitz). The skill does not declare these requirements in SKILL.md or registry metadata.
Credentials
SKILL.md requires ANTHROPIC_API_KEY or OPENAI_API_KEY (and the code reads KB_EMBED_MODEL from env), which is proportionate for embedding calls. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none' — an inconsistency. Requiring an LLM/embed API key is reasonable for this skill, but it must be declared and users should only supply keys with minimal scope and/or dedicated billing.
Persistence & Privilege
The skill does not request always:true nor modify other skills. It persists data to a local SQLite DB (kb.db) and writes temporary files under /tmp for processing; this is expected for a KB tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oee-knowledge-base - 安装完成后,直接呼叫该 Skill 的名称或使用
/oee-knowledge-base触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of oee-knowledge-base: a personal RAG-powered knowledge base.
- Ingest and save text, files, URLs, and notes with a single command.
- Semantic search and context retrieval across all stored entries.
- Simple CLI tools for ingestion, querying, and knowledge base management.
- Stores data locally using SQLite and embeddings.
- Requires Python 3.10+ and API key for embedding generation.
元数据
常见问题
OEE Knowledge Base RAG 是什么?
Semantic knowledge base allowing ingest, search, and retrieval of saved texts, URLs, and files using embeddings and SQLite. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 759 次。
如何安装 OEE Knowledge Base RAG?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oee-knowledge-base」即可一键安装,无需额外配置。
OEE Knowledge Base RAG 是免费的吗?
是的,OEE Knowledge Base RAG 完全免费(开源免费),可自由下载、安装和使用。
OEE Knowledge Base RAG 支持哪些平台?
OEE Knowledge Base RAG 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OEE Knowledge Base RAG?
由 OdinBot33(@odinbot33)开发并维护,当前版本 v1.0.0。
推荐 Skills