Andara Rag Search
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: andara-rag-search Version: 1.0.0 The skill provides an AI agent with the capability to execute arbitrary SQL queries via the `bash` tool and `psql` using a `$DATABASE_URL` environment variable. While the documentation in `SKILL.md` describes search-related tasks, it explicitly guides the agent to access highly sensitive data including `equity_percent`, `revenue_eur`, and `customer_emails`. The reliance on shell-based database access without input sanitization or restricted permissions represents a high-risk capability that could be easily exploited for unauthorized data access or manipulation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed in an environment with DATABASE_URL set, the agent could read private business, customer, revenue, and equity information using whatever database privileges that URL grants.
The skill relies on a database connection string and documents access to customer, order, email, and equity-related data. The provided metadata declares no required env vars or primary credential, so this high-impact access is under-declared and not clearly scoped.
psql "$DATABASE_URL" ... `team_members` ... `email`, `equity_percent`; `orders` ... `customer_name`; `customers` ... `name`, `email`
Declare DATABASE_URL and psql as requirements, use a least-privilege read-only database role, restrict accessible tables and columns, and require explicit user approval before returning customer, financial, or equity data.
A mistaken or manipulated query could read more data than intended, query unrelated tables, or rely on database permissions rather than the skill’s stated read-only rule.
The skill exposes raw SQL execution through bash with free-form search term substitution. The read-only limitation is documented, but not technically enforced by the artifact, and the examples do not use parameterized queries or an allowlisted search wrapper.
Run a PostgreSQL query against the `knowledge_base` table using the `bash` tool ... Replace `SEARCH_TERM` with the relevant keyword(s). ... Never INSERT, UPDATE, or DELETE — read-only access only
Prefer a narrow helper or stored procedure that only performs parameterized SELECT queries against approved tables, enforces LIMITs, and redacts sensitive columns by default.
Search results could surface sensitive historical business context or misleading stored guidance if the indexed knowledge base contains outdated or poisoned records.
The skill searches persistent RAG and memory-like content, including learned lessons and policies. That is aligned with the purpose, but retrieved content may be stale, sensitive, or should not be treated as higher authority than system or user instructions.
`knowledge_base` | RAG chunks (3,800+) ... `rag_memory_objects` | Learned lessons & policies ... Any indexed content
Treat retrieved RAG content as reference material, not instructions; verify important business facts; and avoid returning personal or customer data unless the user explicitly needs it.