← 返回 Skills 市场
Semantic Grep
作者
rizperdana
· GitHub ↗
· v1.0.0
· MIT-0
110
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install semantic-grep
功能描述
Offline local semantic code search using embeddings to find and index code by meaning with llama.cpp, ONNX, or Ollama backends.
安全使用建议
Before installing: (1) Treat the package as untrusted until you inspect its source—pip installing runs code that can do anything on your system. (2) Verify the PyPI package and GitHub repository referenced (rizperdana/semgrepll) and inspect the package contents or prefer building from source. (3) Remove or rotate any tokens you find in docs (the README includes a token-like string) and do not reuse it. (4) Consider running the install in a sandboxed environment or VM, or inspect the package with tools like 'pip download' and review the wheel/tarball. (5) Be cautious about the 'semgrep' command name collision—ensure it won't override or confuse an existing semgrep installation. If you want help, provide the actual PyPI package/source code and I can re-evaluate the install-time behavior and look for network calls or unsafe operations.
功能分析
Type: OpenClaw Skill
Name: semantic-grep
Version: 1.0.0
The skill package 'semgrepll' shadows the command name 'semgrep', which is a widely used and well-known static analysis tool, creating a high risk of command hijacking or user confusion (seen in SKILL.md and clawhub.yaml). Additionally, the README.md includes a hardcoded installation token, and the _meta.json file contains a future-dated timestamp (2026), which are anomalous for a standard utility. While no direct evidence of data exfiltration or malicious code is present in the provided metadata, the intentional overlap with a popular security tool's namespace is a significant indicator of potential deceptive intent.
能力评估
Purpose & Capability
The name/description (local semantic code search using local LLM/ONNX/Ollama backends) aligns with the instructions to run a CLI that indexes and searches projects. Optional environment variables for model paths/backends are consistent with that purpose. Minor concern: the CLI command shown is 'semgrep', which collides with the well-known 'semgrep' tool — that could cause confusion or unintended overwriting of an existing tool.
Instruction Scope
SKILL.md contains straightforward runtime instructions (index/search/list/remove) that operate on local paths, which is expected. It claims '100% offline' which is plausible but not verifiable from the instruction-only content (the listed pip package could perform network operations at install/runtime). The README includes a 'clh skill install' example containing a token-like string — this is out-of-scope for the skill's functionality and is a red flag (exposes a credential in a public file).
Install Mechanism
There is no registry install spec; the docs advise 'pip install semgrepll'. Installing an unreviewed pip package is a common but non-trivial risk because package install or imported code can execute arbitrary actions. The installers and clawhub.yaml consistently point to pip installation and a GitHub repository, which is coherent, but there is no baked-in, auditable code in the skill bundle for review (instruction-only).
Credentials
The SKILL.md lists optional environment variables (model paths, backend selection) that are proportional to running a local embedding/indexing tool. However, the README contains an apparent ClawHub token in an example command — a likely hard-coded secret that is unrelated to the skill's core behavior and should not be present in public docs. Also, no required credentials are declared in the registry metadata, which is consistent with the instructions, but the hidden token in docs is concerning.
Persistence & Privilege
The skill is not marked 'always' and does not request persistent system-wide privileges in the provided files. It's instruction-only and does not declare modifications to other skills or agent-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install semantic-grep - 安装完成后,直接呼叫该 Skill 的名称或使用
/semantic-grep触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of semgrepll — local, offline semantic code search.
- Index and search code projects by meaning using embeddings with commands like `semgrep index` and `semgrep search`.
- Supports multiple offline backends: llama.cpp, ONNX, and Ollama.
- No external API calls; works fully offline and auto-selects the fastest backend.
- Embeddings are cached to speed up re-indexing.
- Easy project management: list or remove indexed projects with `semgrep ls` and `semgrep rm`.
- Python 3.10+ required; install with optional ONNX support.
元数据
常见问题
Semantic Grep 是什么?
Offline local semantic code search using embeddings to find and index code by meaning with llama.cpp, ONNX, or Ollama backends. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 110 次。
如何安装 Semantic Grep?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install semantic-grep」即可一键安装,无需额外配置。
Semantic Grep 是免费的吗?
是的,Semantic Grep 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Semantic Grep 支持哪些平台?
Semantic Grep 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Semantic Grep?
由 rizperdana(@rizperdana)开发并维护,当前版本 v1.0.0。
推荐 Skills