← 返回 Skills 市场
Vector Store Shootout
作者
Nissan Dookeran
· GitHub ↗
· v1.0.0
371
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vector-store-shootout
功能描述
8 vector store implementations behind a common interface — numpy, lancedb, qdrant, pgvector, weaviate, weaviate_hybrid, milvus, lightrag. Use when evaluating...
安全使用建议
This skill appears to implement the vector stores it claims, but there are multiple practical inconsistencies you should address before installing or running it:
- Dependencies: The code requires many Python packages (requests, numpy, networkx, lancedb, qdrant_client, psycopg2/pymilvus/pyarrow/weaviate-client, etc.) but the skill only declares python3. Don't run it on a production host without creating a pinned virtual environment (venv/conda) and installing and auditing those packages first.
- Network vs local: The SKILL metadata implies no outbound networking, but the code calls embedding endpoints (default: local Ollama at http://localhost:11434) and optionally OpenAI (api.openai.com). If you want purely local operation, run an Ollama instance on localhost and avoid supplying OpenAI keys. If you supply an OpenAI key or use remote DB backends, data (the texts you index/query) will be sent to those services.
- Secrets: The skill doesn't declare required env vars, yet it will accept and use an OpenAI API key if given. Only provide credentials if you trust the code and run it in an isolated environment; do not pass secrets you wouldn't want used for remote embedding/exfiltration.
- Resource effects: Backends create temporary files, DB tables, and collections and delete them on cleanup; verify these operations are acceptable in your environment (especially if you point to an existing Postgres instance or other shared service).
- Safety steps: Run the skill in a disposable VM or container first, pin dependency versions, inspect network traffic to ensure embeddings are sent to endpoints you expect, and consider providing a local embed_fn (test injection) to avoid network calls during evaluation. If you need a complete dependency/install spec and clearer network/credential documentation, request it from the publisher before using in production.
功能分析
Type: OpenClaw Skill
Name: vector-store-shootout
Version: 1.0.0
The skill bundle implements various vector store backends but contains a significant security vulnerability and a metadata discrepancy. Specifically, `scripts/pgvector_store.py` is vulnerable to SQL injection because it uses f-strings to interpolate the `table_name` directly into SQL queries. Furthermore, the `SKILL.md` file incorrectly claims no outbound network access (`network: outbound: false`), whereas multiple files (e.g., `scripts/numpy_store.py`, `scripts/weaviate_store.py`) contain logic to send data to the external OpenAI API (`api.openai.com`) for embedding generation.
能力评估
Purpose & Capability
The skill name/description (eight vector store implementations behind a common interface) aligns with the included code files: numpy, lancedb, qdrant, pgvector, weaviate, milvus, lightrag, etc. Implementations perform expected actions for indexing/search and (where appropriate) persistent storage and cleanup. However, the SKILL metadata only requires python3 while the code imports many third-party libraries (requests, lancedb, qdrant_client, qdrant_client.models, psycopg2, pymilvus, networkx, pyarrow, numpy, etc.), so the declared requirements are incomplete relative to the code.
Instruction Scope
SKILL.md metadata states outbound networking is false / 'All backends run locally', but multiple store implementations make HTTP calls (requests.post to Ollama at http://localhost:11434 and to https://api.openai.com), and client libraries connect to networked services (Qdrant, Weaviate, Milvus, Postgres). The code will write temp directories, create/drop DB tables and collections, and may delete those resources on cleanup — expected for DB backends, but the network claim is misleading. The runtime instructions do not request any credentials explicitly, yet the code supports using an OpenAI API key and will send user text to embedding endpoints if configured, which means user data could leave the host depending on deployment.
Install Mechanism
There is no install spec despite many non-standard runtime dependencies. The skill is distributed as code files but does not declare or install required Python packages, increasing friction and risk (users may install libraries ad-hoc or run code without needed packages). Absence of a pinned dependency list or install steps is disproportionate to the task complexity and makes it unclear what will be installed or required on the host.
Credentials
The registry metadata declares no required environment variables or primary credential, but implementations accept and use an optional OpenAI API key parameter and will call remote embedding services (OpenAI) if provided. The mismatch between 'no credentials required' and code that will use credentials if supplied is confusing and could cause users to inadvertently supply a secret to a skill that didn't declare it. Additionally, network usage is environment-dependent but not made explicit in required configuration.
Persistence & Privilege
The skill does not request elevated platform privileges, does not set always:true, and does not modify other skills. It creates temporary directories and persistent stores (LanceDB, Milvus Lite files, or database tables) as part of backend operation and provides cleanup methods that drop those resources — this behavior is expected for database backends and is scoped to the skill's own resources.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vector-store-shootout - 安装完成后,直接呼叫该 Skill 的名称或使用
/vector-store-shootout触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of vector-store-shootout
- Provides 8 interchangeable vector store backends under a unified Python interface: numpy, lancedb, qdrant, pgvector, weaviate, weaviate_hybrid, milvus, and lightrag.
- Enables easy benchmarking, evaluation, and backend-switching for RAG and vector search applications.
- Simple base class: implement add, search, and delete methods for consistency across backends.
- Includes finding: weaviate hybrid search at alpha=0.1 delivers better results for technical/keyword-heavy content compared to default settings.
- All backends can run locally; outbound network access depends on deployment configuration.
元数据
常见问题
Vector Store Shootout 是什么?
8 vector store implementations behind a common interface — numpy, lancedb, qdrant, pgvector, weaviate, weaviate_hybrid, milvus, lightrag. Use when evaluating... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 371 次。
如何安装 Vector Store Shootout?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vector-store-shootout」即可一键安装,无需额外配置。
Vector Store Shootout 是免费的吗?
是的,Vector Store Shootout 完全免费(开源免费),可自由下载、安装和使用。
Vector Store Shootout 支持哪些平台?
Vector Store Shootout 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Vector Store Shootout?
由 Nissan Dookeran(@nissan)开发并维护,当前版本 v1.0.0。
推荐 Skills