rag-knowledge-assistant

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local document-search skill, but it includes unrelated and unsafe GitHub token instructions that users should review carefully.

Install only if you need a local RAG index over a deliberately chosen document folder. Do not follow the token-in-URL examples in PUSH_GUIDE.md; use SSH, GitHub CLI, or a credential manager for GitHub authentication. Avoid indexing secrets or regulated data, treat the vectorstore as sensitive persisted data, use a virtual environment with reviewed dependency versions, and be careful that --rebuild deletes the selected output directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation describes actions that read from the knowledge directory, write a persistent vector store, and optionally access network-backed embedding services or local HTTP services, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent may invoke filesystem or network-capable components without users or the platform having an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior does not fully match the broader capabilities indicated by the analysis, including unrelated PDF-to-image functionality and Ollama-based HTTP access not disclosed in the main description. Description-behavior mismatch is dangerous because users and orchestrators may trust the skill for a narrow RAG purpose while it actually exposes additional processing and network surfaces that change the risk profile.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The guide explicitly instructs users to place a GitHub personal access token directly in the remote URL for `git push`. This is dangerous because tokens embedded in command lines can be exposed through shell history, process listings, terminal logs, screenshots, or pasted transcripts, leading to credential theft and unauthorized repository access.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The quick-push example repeats the insecure pattern of embedding a live GitHub token in the push URL, normalizing unsafe credential handling. Because this is presented as a convenient copy-paste workflow, it increases the chance that users will expose secrets in shell history or shared terminals and accidentally leak repository credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal