by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This project appears to be what it says: an on-prem/local document parsing + local-model AI toolkit. Before installing or deploying, consider the following: 1) Initial model files are large and require network access or manual transfer—if you need strict air-gap guarantees, download models on an allowed machine and copy them into ./models rather than running automated downloads in the target network. 2) The requirements pull heavy native/GPU packages (torch, paddlepaddle, faiss, etc.); install i...详细分析 ▾
✓ 用途与能力
Name/description (local private/offline file AI) matches the code and docs: parsers, local vector store, local LLM model configuration, OCR, large-file handler, sandbox and compliance logger are all relevant to the stated purpose. There are no unrelated required environment variables, binaries, or config paths requested in metadata.
ℹ 指令范围
SKILL.md and README focus on local/offline usage and document parsing; runtime instructions instruct pip installing dependencies and running scripts/download_models.py to fetch models. The project does require an initial model download (or manual placement of model files) but otherwise runs locally. One implementation detail to review: the compliance_logger generates an encryption key internally by deriving from a constant password and a random salt on each process start, which will make previously written encrypted logs unreadable by later processes (operational bug that undermines audit portability/continuity).
ℹ 安装机制
There is no platform installer provided (no install spec), so install relies on pip installing requirements.txt and optionally running download_models.py which points to well-known hosts (Hugging Face assets and PaddleOCR). The download script currently prints/manual-download hints rather than automatically pulling large model files; the URLs are to recognized project hosts (huggingface.co, paddleocr.bj.bcebos.com). The requirements list heavy native/GPU packages and will pull large dependencies; review and install in a controlled environment.
✓ 凭证需求
The skill requests no environment variables or external credentials in metadata. The only 'secret' area is the compliance logger's optional encryption_key parameter (if provided, logs can be made deterministic); by default the code generates a key locally. No unexpected credentials or unrelated service tokens are required.
✓ 持久化与权限
Flags show always:false and user-invocable:true (normal). The skill does not request persistent platform-wide privileges or modify other skills. It writes local models/config/logs under the project directory (normal for this type of tool).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/16
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install local-data-ai
镜像加速npx clawhub@latest install local-data-ai --registry https://cn.longxiaskill.com