ClawHub
Back to skill

Security audit

Enterprise Knowledge Base Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent enterprise knowledge-base skill, but it needs Review because it under-discloses external processing, shared storage, and destructive deletion behavior.

Review before installing in any sensitive or enterprise environment. Treat document text, chunks, queries, and reranking inputs as potentially leaving the machine when DashScope or OpenAI is configured; avoid uploading confidential data unless those providers are approved. Restrict the shared KB directory, protect API keys, and require an operator confirmation or backup process before using delete or reset commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet the documentation clearly indicates capabilities to read/write files, access environment variables for API keys, and execute shell commands. This creates a permission transparency and enforcement gap: the host may not prompt appropriately, and users or orchestrators may invoke a skill with more power than its manifest suggests.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes a strong privacy claim that all data is stored locally and not uploaded to the cloud, but the documented setup requires external DashScope or OpenAI API keys for embeddings and likely RAG-related processing. This can mislead users into uploading sensitive enterprise documents under false assumptions, creating a real confidentiality and compliance risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation says all data remains local, but it also requires external embedding/API providers such as DashScope or OpenAI. That means document contents or chunks may be transmitted off-host during embedding or query processing, which is a material security and privacy misrepresentation that could cause users to expose sensitive enterprise documents unintentionally.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file claims each skill instance has isolated storage, but elsewhere it specifies a shared system-wide knowledge base directory used across skills and agents. This contradiction can mislead operators into assuming tenant isolation that does not exist, increasing the risk of cross-agent data exposure, unintended modification, or broader access than expected.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script creates a system-wide shared knowledge-base directory and explicitly states that all skills will use it, which expands scope beyond a single kb-manager skill into cross-skill shared state. In an agent ecosystem, this can weaken isolation boundaries, enable unintended data sharing between skills, and increase the blast radius if one skill mishandles or poisons the shared store.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to persist API keys in a local JSON config file in plaintext, but provides no warning about credential sensitivity, file permissions, secret scanning, or safer alternatives. This increases the risk of accidental disclosure through backups, repository commits, shared home directories, or local compromise, especially because the skill handles enterprise knowledge base content and likely privileged API access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The troubleshooting instructions tell users to print the API key environment variable directly to the terminal, which can expose the full secret on screen, in terminal scrollback, recordings, shared sessions, or support logs. This is an avoidable secret-handling weakness because validation can be done without revealing the credential value.

Missing User Warnings

High
Confidence
84% confidence
Finding
The document includes forceful recursive deletion commands for the vector database and document store without any warning, confirmation step, backup prerequisite, or recovery note. In an enterprise knowledge-base skill, this can cause immediate irreversible loss of stored documents and embeddings, leading to data loss and operational disruption if copied blindly or triggered during troubleshooting.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions require external embedding/LLM providers but do not warn that uploaded document content and user queries may be sent to those providers. In an enterprise knowledge-base context, this omission is dangerous because users may ingest internal policies, HR files, contracts, or other sensitive data without informed consent or appropriate governance review.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description suggests invocation for broad business questions without clear boundaries, which can cause over-broad activation and unnecessary retrieval from the enterprise knowledge base. In practice, that may expose sensitive internal content in contexts where a normal conversational response would have sufficed, and it increases the chance of accidental tool use on unrelated prompts.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Telling users they can directly ask questions for intelligent Q&A is too vague for a skill that can access internal knowledge sources. Ambiguous triggers can lead to automatic retrieval on general conversation, causing unnecessary access to enterprise documents and increasing the likelihood of sensitive information surfacing unintentionally.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The statement that the system will automatically search documents when the user asks directly lacks any trigger boundary or safety conditions. Automatic retrieval against a corporate KB without precise activation rules can broaden data exposure and create unpredictable behavior, especially in multi-agent or shared-storage deployments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes document deletion functionality but does not warn about data loss or state that confirmation is required. In a knowledge-management tool with shared system-wide storage, accidental or misunderstood deletion can permanently remove documents for multiple users or agents, making the operational impact significant.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The interactive prompt accepts arbitrary user questions and forwards them into the retriever pipeline, which may invoke external embedding or retrieval services configured via API-backed providers. Without a clear notice or consent mechanism, users may unknowingly submit sensitive corporate data, policy questions, or personal information to third-party services, creating a confidentiality and compliance risk in an enterprise knowledge-base context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User query text is sent to an external reranking service, which can expose sensitive internal business questions, policy lookups, or proprietary terms to a third party. In a corporate knowledge-base skill, queries are often confidential, so transmitting them off-platform without explicit notice, consent, or policy controls creates a real data exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete path executes immediately when a message contains a matching document ID, with no confirmation step, warning, or authorization check visible in this interface. In a chat-driven knowledge base tool, ambiguous phrasing, prompt injection via surrounding workflow, or accidental user input could trigger irreversible deletion of stored knowledge assets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends full document chunks to an external embedding provider via self.embedder.embed_texts(chunk_texts) without any visible consent check, disclosure, or data-classification gate in this processing path. In an enterprise knowledge-base skill, uploaded documents may contain confidential business data, employee information, or regulated content, so silent transmission to a third-party model provider creates a real data-exposure and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The embedder sends arbitrary input texts to third-party embedding APIs, which can include sensitive enterprise documents, policies, or user queries in this knowledge-base management context. The code performs this transfer transparently and provides no built-in notice, consent, or data-classification guardrails, creating a real privacy and compliance risk rather than a purely informational issue.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The connection-validation method performs a real outbound API call using a test string, which may surprise operators and can trigger unintended network egress, billing, or policy violations in restricted environments. Although the payload is not sensitive, the hidden remote side effect makes this a genuine security/privacy concern.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reranker sends the user's query and the full document contents to DashScope's external TextReRank API, which can expose potentially sensitive enterprise knowledge-base data to a third party. In a knowledge-base management skill, uploaded documents may contain internal policy, business process, or confidential company information, so transmitting them off-platform without explicit consent, disclosure, or data-classification controls creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete_document method permanently removes both database records and matching files immediately based only on a document_id, with no confirmation step, soft-delete, authorization check, or safety guard visible in this component. In a knowledge-base management skill, deletion is a high-risk operation because accidental invocation, misuse by an upstream agent, or prompt-induced tool use can cause irreversible loss of enterprise documents and indexed content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
main.py:171

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
query_kb.py:43

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
QUICKSTART.md:185

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/chat_interface.py:42

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/document_processor.py:52

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/embedder.py:112

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/retriever.py:132