Scan Report
0 /100
local-rag
Semantic search over local files using BGE-M3 embeddings and BGE-RERANKER-LARGE reranking with ChromaDB and parent-child chunking
A legitimate local RAG skill that indexes user documents for semantic search using ChromaDB and BGE-M3 embeddings. All observed behavior is declared, necessary, and consistent with the documented purpose.
Safe to install
No action needed. The skill is safe to use as described.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | index.py:reads ~/Documenti and ~/Scaricati |
| Filesystem | WRITE | WRITE | ✓ Aligned | index.py:stores chunks to ~/.local/share/local-rag/chromadb/ |
| Network | READ | READ | ✓ Aligned | sentence_transformers/FlagEmbedding download models from HuggingFace |
File Tree
3 files · 16.1 KB · 495 lines Python 2f · 413L
Markdown 1f · 82L
├─
▾
scripts
│ ├─
index.py
Python
│ └─
query.py
Python
└─
SKILL.md
Markdown
Dependencies 5 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
chromadb | * | pip | No | Standard vector database, no vulnerabilities relevant to this use case |
sentence-transformers | * | pip | No | Downloads models from HuggingFace; declared and expected |
FlagEmbedding | * | pip | No | Provides BGE-RERANKER-LARGE; declared and expected |
pdfplumber | * | pip (on-demand) | No | Installed on-demand via uv pip; not bundled |
python-docx | * | pip (on-demand) | No | Installed on-demand via uv pip; not bundled |
Security Positives
✓ All behavior fully declared in SKILL.md — indexing, storage paths, model sources, and supported formats are all documented
✓ File hashing (SHA-256) prevents re-indexing unchanged files — no unnecessary re-processing
✓ File locking (fcntl) prevents concurrent indexing runs
✓ Subprocess calls for dependency installation (pdfplumber, python-docx) are a standard CLI tool pattern and are not hidden
✓ No credential access, no environment variable iteration, no sensitive path access
✓ No data exfiltration — all indexed data stays in ~/.local/share/local-rag/
✓ Chunking strategy with deduplication prevents duplicate results
✓ No base64-encoded commands, no IP network requests, no eval/ast tricks
✓ Source code is readable and straightforward with no obfuscation