ClawHub

RAG System Builder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local document/RAG skill, but its offline privacy claims are undercut by possible Hugging Face network access and plaintext local persistence of ingested document text.

Review this skill before installing if you plan to use private or regulated documents. Treat it as not strictly offline unless you can disable remote model fallback and pre-seed the model yourself, and protect or delete the vector-store directory because it may contain readable copies of ingested text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill explicitly promises that the system works completely offline, but the documented implementation falls back to loading a model from Hugging Face if the local path is missing or fails. In practice, this can cause unexpected outbound network access, undermining privacy assumptions and potentially exposing environment metadata in contexts where users rely on strict offline handling for sensitive documents.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation's 'no external API calls required' claim is contradicted by code that may contact Hugging Face to resolve the embedding model. This mismatch is security-relevant because users may ingest confidential material under a false assumption that the system will never initiate external communication.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The README instructs users to run a `snapshot_download` command but does not disclose that it performs a network request to Hugging Face and writes model files to a local directory. This is a real security/transparency issue because users may assume the workflow is fully offline from the surrounding claims and may unknowingly fetch remote content and consume local disk space.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The one-time model download step explicitly contacts Hugging Face, yet the skill does not warn users that this transfers network and client metadata despite repeated offline assurances. In sensitive or air-gapped environments, omission of this disclosure can lead to policy violations, privacy leakage, or deployment in environments where any unexpected egress is unacceptable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ingestion flow stores full chunk text inside metadata and writes that metadata to disk as JSON, but the skill does not warn users that document contents will be persisted locally in readable form. For a RAG system intended for arbitrary documents, this increases the risk of sensitive data exposure through local file access, backups, endpoint compromise, or accidental sharing of the vector store directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal