Back to skill
Skillv1.0.0
VirusTotal security
RAG System Builder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:06 AM
- Hash
- ccfc60e2e8036deef22da9be479d78aeb6e6d5aa5f92808413c3512061f564b5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: rag-system-builder Version: 1.0.0 The skill provides a template for building a local RAG system but contains a shell injection vulnerability in USAGE.md, where os.system() is used with f-strings to process document folders. Additionally, the provided Flask web interface example in USAGE.md enables debug=True, which is a security risk that can lead to remote code execution (RCE) via the interactive debugger. While these appear to be unintentional coding flaws in a tutorial context rather than intentional malware, they represent significant security vulnerabilities.
- External report
- View on VirusTotal