Skillv1.0.0

ClawScan security

RAG System Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 11:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly describes building a local RAG system, but it claims 'completely offline' while its instructions explicitly download models from Hugging Face and fall back to online loading — an inconsistency users should understand before running anything.
Guidance: This skill provides useful, coherent templates for building a local RAG system, but pay attention to the following before installing or running anything: - Offline claim vs. reality: Despite claiming 'works completely offline', the Quick Start and code instruct you to download models with huggingface_hub.snapshot_download and allow SentenceTransformer to load models by name (which will fetch from Hugging Face). Expect at least one network download to obtain model files unless you already have the model locally. - Network and disk usage: Model files are large (hundreds of MBs to GBs). Make sure you have enough disk space and bandwidth and that you trust the model source (the instructions point to Hugging Face's sentence-transformers official repo, which is standard). - Review code before running: The skill is instruction-only; it provides templates that will create and run Python code and a Flask web endpoint. Inspect the generated files (rag.py, web_interface.py, ingestion scripts) before running, especially if you plan to host the web UI on a machine accessible to others, since it will expose your ingested document contents over HTTP. - Run in an isolated environment: Use a virtualenv or container to avoid polluting your system Python environment. If you want to limit risk, run ingestion and model downloads on an isolated VM or sandbox. - No secret exfiltration detected: There are no required credentials or obfuscated endpoints in the provided files, and the regex scanner found no issues. However, because the skill instructs network downloads and runs code templates created at runtime, always validate the exact commands and code you execute. If you want a truly offline workflow, ensure you manually download and place the model files into the indicated local_model_path and avoid running the snapshot_download or online fallback steps.

Review Dimensions

Purpose & Capability: noteThe stated purpose (local/offline RAG with FAISS and sentence-transformers) matches the provided templates and instructions. However, the README/SKILL.md repeatedly claim 'works completely offline' while the Quick Start and code show explicit calls to huggingface_hub.snapshot_download and SentenceTransformer(model_name) fallback behavior that will fetch model artifacts over the network. This is a noteworthy contradiction of the advertised 'offline' promise.
Instruction Scope: noteInstructions stay within the domain of building a RAG system (file ingestion, embedding generation, FAISS index, optional Flask web UI). They do instruct running pip installs, using huggingface_hub to download models, and provide examples that use os.system to run ingest commands. The web interface example exposes a local HTTP endpoint which will serve queries and therefore can expose ingested document content if hosted — expected for a web UI but worth noting. No instructions ask for unrelated system files or credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled code to write to disk. It tells users to pip install common Python packages (sentence-transformers, faiss-cpu, click, flask) and to download models from Hugging Face. Those are standard, traceable operations; there are no obscure download URLs or archive extraction instructions from untrusted hosts.
Credentials: okThe skill requests no environment variables or credentials. The only external interaction is for model download from Hugging Face; no API keys are declared or required. This is proportionate to the task of obtaining large model artifacts, though network access contradicts the 'offline' claim.
Persistence & Privilege: okThe skill does not request always:true, does not modify agent configuration, and is user-invocable only. It does create local files and model/index directories as part of normal operation, which is appropriate for a local RAG system.