← 返回 Skills 市场

Ragie.ai-RAG

Name: Ragie.ai-RAG
Author: hatim-be

作者 Hatim-BE · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

573

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ragie-rag

功能描述

Execute Retrieval-Augmented Generation (RAG) using Ragie.ai. Use this skill whenever the user wants to: - Search their knowledge base - Ask questions about u...

安全使用建议

What to check before installing: - Metadata mismatch: the registry summary claims no required env/credentials but the SKILL.md and bundled scripts require RAGIE_API_KEY and python3. Confirm which metadata is authoritative and ask the publisher to fix the registry entry before installing. - Secrets: the scripts will send uploaded file contents and metadata to https://api.ragie.ai using whatever RAGIE_API_KEY you provide. Only use an API key you trust to grant that service access to your documents; avoid ingesting secrets or PII unless you trust Ragie. - Local .env: the scripts call load_dotenv() so a local .env file can supply the key. Ensure you don't commit .env to source control and keep the key rotated if compromised. - Dependencies: the package expects requests and python-dotenv. There is no automated installer; ensure the execution environment has python3 and these packages (pip install requests python-dotenv) or run the scripts in an isolated environment. - Inspect & control ingress: ingest.py opens user-specified file paths and posts them to Ragie; review and sanitize any files you plan to upload. Consider running the scripts locally rather than granting broad agent-level execution if you have sensitive data. - If you want higher assurance: ask the publisher to correct registry metadata, provide a reproducible install spec (or a vetted package), and sign the release. If those fixes are made, the skill appears coherent and appropriate for RAG use. Confidence note: medium — the code and instructions are consistent with the described purpose, but the contradictory registry metadata reduces confidence. If registry metadata is corrected to declare RAGIE_API_KEY and python3/requests/python-dotenv, this would increase confidence to high.

功能分析

Type: OpenClaw Skill Name: ragie-rag Version: 1.0.2 The skill bundle is classified as suspicious due to significant vulnerabilities related to input handling and arbitrary file access, despite lacking explicit malicious intent. The `SKILL.md` instructs the AI agent to execute shell commands with arguments derived from user input (e.g., `--file`, `--url`, `--name`, `--query`), which creates a shell injection risk if the agent does not properly sanitize these inputs. Furthermore, `scripts/ingest.py` allows ingesting arbitrary local files or URLs via the `--file` and `--url` arguments. This could be exploited by a compromised agent to exfiltrate sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to the legitimate Ragie.ai service, which constitutes an unauthorized data exposure risk. No direct malicious code (e.g., unauthorized exfiltration to third-party domains, backdoors, persistence) was found, and `SKILL.md` even includes instructions to prevent data leakage.

能力评估

ℹ Purpose & Capability

The name/description (Ragie.ai RAG) align with the included scripts: ingest.py, manage.py, and retrieve.py implement ingestion, listing/status/delete, and retrieval against https://api.ragie.ai. Requiring a single API key (RAGIE_API_KEY) and python is consistent with the stated purpose. However the registry-level summary at the top of the submission (Required env vars: none, Primary credential: none) contradicts the SKILL.md and the scripts which both require RAGIE_API_KEY. This mismatch in published metadata vs. actual runtime requirements is an inconsistency that should be resolved.

✓ Instruction Scope

SKILL.md gives explicit, narrow instructions to run the included Python scripts for ingestion, management, and retrieval. The scripts only access user-provided files/URLs and the RAGIE API, and do not attempt to read unrelated system files. They use dotenv (so they will load a .env file if present) and will POST files or JSON to api.ragie.ai as expected by the skill's purpose.

ℹ Install Mechanism

No install spec is provided (instruction-only install), and the code is shipped as plain Python scripts. The scripts depend on python3 plus two Python packages (requests, python-dotenv) as declared in SKILL.md metadata; however no automated install is provided and the registry summary did not list these. This is low risk functionally but operationally you'll need to ensure the runtime has python3 and the required packages installed.

ℹ Credentials

The only secret the skill needs is RAGIE_API_KEY, which is proportionate to a RAG API integration. The scripts load environment variables via python-dotenv (load_dotenv), so they may read a local .env file; this is standard but you should ensure .env is not committed. The main proportional concern is the metadata inconsistency: the registry reported no required env/credentials while the skill actually requires the API key.

✓ Persistence & Privilege

The skill does not request permanent presence (always: false) and does not modify other skills or system-wide settings. It only executes on invocation and runs CLI scripts that interact with Ragie. No elevated privileges are requested.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ragie-rag
安装完成后，直接呼叫该 Skill 的名称或使用 /ragie-rag 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- Added explicit OpenClaw-compatible metadata under a new metadata key in SKILL.md. - Metadata specifies required binaries, environment variables, Python dependencies, and credential instructions. - No functional or workflow changes.

v1.0.1

- Added requirement for RAGIE_API_KEY environment variable. - Documented required Python dependencies: requests, python-dotenv. - Installation instructions and environment setup details now included. - Skill now enforces immediate failure if API key is missing. - No changes to API or workflow logic.

v1.0.0

Version 1.0.0 of ragie-rag - Initial release introducing Retrieval-Augmented Generation (RAG) using Ragie.ai. - Provides deterministic workflows for document ingestion, retrieval, and management. - Ensures grounded question answering with strict rules to prevent hallucination. - Supports file and URL ingestion, document listing, status checking, and deletion. - Requires all answers to be based only on retrieved knowledge and clearly cites document sources. - Comprehensive error handling and security guidelines included.

元数据

Slug ragie-rag

版本 1.0.2

许可证 —

累计安装 1

当前安装数 1

历史版本数 3

常见问题

Ragie.ai-RAG 是什么？

Execute Retrieval-Augmented Generation (RAG) using Ragie.ai. Use this skill whenever the user wants to: - Search their knowledge base - Ask questions about u... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 573 次。

如何安装 Ragie.ai-RAG？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ragie-rag」即可一键安装，无需额外配置。

Ragie.ai-RAG 是免费的吗？

是的，Ragie.ai-RAG 完全免费（开源免费），可自由下载、安装和使用。

Ragie.ai-RAG 支持哪些平台？

Ragie.ai-RAG 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Ragie.ai-RAG？

由 Hatim-BE（@hatim-be）开发并维护，当前版本 v1.0.2。