by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is a coherent CLI wrapper for Voyage AI + MongoDB Atlas Vector Search, but check a few things before installing: 1) The package installs globally via npm — verify the 'voyageai-cli' package and its maintainer (npm listing and GitHub repo) so you trust what code will be run on your machine. 2) You must provide VOYAGE_API_KEY; the SKILL.md also references MONGODB_URI for DB operations but that env var is not declared — only set MONGODB_URI when you intend to allow the CLI to connect to ...详细分析 ▾
ℹ 用途与能力
The name/description, required binary ('vai'), and VOYAGE_API_KEY align with a CLI that calls Voyage AI and Atlas APIs. Minor mismatch: the SKILL.md documents use of MONGODB_URI (for storing/searching) but that env var is not declared in the skill's requires.env; otherwise required pieces make sense for the stated purpose.
ℹ 指令范围
SKILL.md is an instruction-only wrapper that tells the agent to run the 'vai' CLI with commands for embedding, indexing, search, reranking, config management, completions, and ingestion. These steps stay within the stated domain. The instructions do include writing shell completion files (~/.bashrc, ~/.zsh/completions) and using 'vai config' to persist an API key in the user's config — expected for a CLI but worth noting. No instructions attempt to access unrelated files or external endpoints beyond the Voyage/MongoDB services documented.
✓ 安装机制
Install uses npm (package: voyageai-cli, global installation). npm is an expected distribution channel for a Node.js CLI. This is moderate-risk relative to a curated package store but is proportionate and consistent with the skill's purpose; there are no ad-hoc download URLs or archive extractions in the spec.
⚠ 凭证需求
The skill declares VOYAGE_API_KEY as required (appropriate). However, SKILL.md refers to MONGODB_URI for store/search/index operations but MONGODB_URI is not listed in requires.env. The absence of an explicit primaryEnv (VOYAGE_API_KEY could reasonably be primary) and the undocumented optional env variable is a documentation/integration inconsistency the user should be aware of before installing.
✓ 持久化与权限
always:false (default) and disable-model-invocation:false — normal. The CLI supports persistent config (vai config set api-key) which will store the API key locally in the user's config; that is expected behavior for a CLI but users should be aware it persists credentials to disk. The skill does not request system-wide or other skills' settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.02026/2/3
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install voyageai-skill
镜像加速npx clawhub@latest install voyageai-skill --registry https://cn.longxiaskill.com