ClawHub

Knowledge RAG

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real personal knowledge search skill, but its web server can expose private indexed content and file metadata on the network without authentication.

Install only if you are comfortable indexing the chosen personal documents and running a local web service. Keep the server bound to localhost if possible, avoid using it on shared or untrusted networks, do not enable the systemd service unless you want it always running, and prefer the official Ollama download over piping an installer directly into a shell.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions even though the documentation clearly instructs users to read and write local files, invoke shell commands, access the network, and run a local web server. That gap weakens informed consent and makes it harder for users or platforms to understand the true access footprint before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose is a personal knowledge search engine, but the skill also documents a local HTTP server, file listing with metadata, config modification, index management, and Ollama status/model inspection. These behaviors may be functionally related, but they materially expand the attack surface and data exposure beyond simple search, so users are not getting a complete behavioral description upfront.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The server accepts arbitrary configuration updates over HTTP and persists them without authentication or validation, including the knowledge directory and scanned sources. An attacker who can reach the service can repoint scanning to sensitive local paths and influence what local content gets indexed and exposed through search and stats APIs.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The service exposes an unauthenticated endpoint that triggers execution of a local indexing script. While the command is fixed and not shell-injectable, remote callers can still force resource-intensive indexing runs and cause local processing of attacker-selected content if combined with config changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages indexing personal notes, transcripts, and articles and later exposes search through a browser-accessible web UI, but it does not clearly warn that local document contents and metadata may become searchable and viewable through that interface. On shared machines or misconfigured hosts, this can unintentionally expose sensitive personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The stats API enumerates local knowledge files and returns names, directories, sizes, and modification times with no authentication. This leaks sensitive metadata about a user's local documents and makes the risk worse because the server listens on 0.0.0.0 and also enables cross-origin reads via wildcard CORS.

Session Persistence

Medium
Category
Rogue Agent
Content
# 记得把上面的 /path/to/ 换成实际路径

systemctl --user daemon-reload
systemctl --user enable knowledge-server.service
systemctl --user start knowledge-server.service
```
Confidence
84% confidence
Finding
systemctl --user enable

Session Persistence

Medium
Category
Rogue Agent
Content
Linux 系统(含 WSL2 开了 systemd):
```bash
# 创建用户级 systemd 服务
mkdir -p ~/.config/systemd/user/
cat > ~/.config/systemd/user/knowledge-server.service << 'SERVICE'
[Unit]
Description=知识仓库搜索界面
Confidence
85% confidence
Finding
mkdir -p ~/.config/systemd/user/ cat > ~/.config

External Script Fetching

High
Category
Supply Chain
Content
从 <https://ollama.com/download> 下载安装,或者:
```bash
# Linux / macOS
curl -fsSL https://ollama.com/install.sh | sh

# Windows 在官网下载安装包
```
Confidence
97% confidence
Finding
curl -fsSL https://ollama.com/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
从 <https://ollama.com/download> 下载安装,或者:
```bash
# Linux / macOS
curl -fsSL https://ollama.com/install.sh | sh

# Windows 在官网下载安装包
```
Confidence
98% confidence
Finding
| sh

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal