ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LightRAG Search Skill

Search and manage knowledge bases using LightRAG API. Supports multiple servers, context-aware writing, and direct information retrieval. Use when the user wants to query a LightRAG-powered knowledge base or use it as context for tasks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 2k · 2 current installs · 2 all-time installs
by@RuslanLanket
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the provided code and instructions: the script configures servers and queries a LightRAG /query endpoint and supports the documented modes.
!
Instruction Scope
SKILL.md and the script limit actions to reading/writing ~/.lightrag_config.json and making HTTP POSTs to configured servers, which aligns with the purpose. However, the code unconditionally disables SSL certificate verification (ssl.CERT_NONE) when contacting servers — a risky behavior not mentioned in SKILL.md and which can enable MitM attacks or accidental data exposure.
Install Mechanism
No install spec; this is an instruction-only skill with one included script. Nothing is downloaded or installed by the skill itself.
Credentials
No environment variables or unrelated credentials are requested. The script stores optional API keys in ~/.lightrag_config.json in plaintext — reasonable for functionality but provides no encryption or guidance on file permissions.
Persistence & Privilege
The skill does not request persistent/global privileges (always=false). It only reads/writes its own config file and does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says (configure and query LightRAG servers) but has two practical security issues you should consider before installing or adding credentials: (1) The script disables SSL certificate verification when making requests. That means a malicious or compromised network or server could intercept or tamper with requests and responses. Prefer only adding trusted servers, or modify the script to validate certificates (remove the ssl.CERT_NONE override) or add an explicit flag to opt-out only when needed. (2) API keys (if used) are stored unencrypted in ~/.lightrag_config.json. If you must store keys, restrict the file permissions (e.g., chmod 600) or use a secure credential store / OS keyring instead. Additional suggestions: review the script before use, avoid sending sensitive queries to untrusted servers (a configured server could log or exfiltrate queries/responses), and consider running network-restricted/isolated instances if you will point the skill at untrusted endpoints. If you want higher assurance, ask the author to remove the SSL bypass and to add guidance for secure storage of API keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97a70mkct15fn9fpc97c1eh8580b2kn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

LightRAG Skill

This skill allows you to interact with one or more LightRAG API servers. You can perform queries in various modes (local, global, hybrid, mix, naive) and use the retrieved context for further processing.

Configuration

The skill uses a configuration file at ~/.lightrag_config.json to store server details. Format:

{
  "servers": {
    "alias1": {
      "url": "http://server1:9621",
      "api_key": "optional_key"
    },
    "alias2": {
      "url": "http://server2:9621",
      "api_key": "optional_key"
    }
  },
  "default_server": "alias1"
}

Workflows

1. Direct Search

To find information, use scripts/query_lightrag.py. Modes: local, global, hybrid, mix, naive.

2. Using Context for Writing

To use a knowledge base as context (e.g., for a test or article):

  1. Run query_lightrag.py with the --only-context flag.
  2. Pass the resulting context to your writing task/model.

Reference

See API_DOCS.md for endpoint details.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…