ClawHub

2134

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RAGFlow dataset-management integration, but it can delete remote data and optionally save an API key locally.

Install only if you trust the RAGFlow server you will point it at. Prefer a minimally scoped API key and avoid --save-to-memory on shared or backed-up machines. Review exact dataset and document IDs before confirming deletions, because the scripts can modify or delete remote RAGFlow data once run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest description says the skill is for dataset and retrieval operations, but the documentation also supports model enumeration and local persistence of credentials and dataset scope. That mismatch can cause reviewers or automated policy systems to underestimate what the skill can do, especially because it handles API keys and writes them to disk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation advertises model-listing behavior, but that capability is omitted from the manifest-level description. This creates incomplete disclosure of reachable network functionality and can bypass user expectations or approval workflows that rely on manifest-declared scope.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill says chunk editing is out of scope, yet the endpoint list includes chunk deletion capability. That contradiction is dangerous because destructive operations may remain reachable or appear sanctioned despite the policy text saying otherwise.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
Conflicting documentation around chunk editing/deletion creates ambiguity about whether destructive chunk operations are allowed. In a dataset-ingestion skill, this increases the chance of accidental or policy-bypassing data destruction because users and agents may rely on the endpoint list instead of the narrower scope statement.

Credential Access

High
Category
Privilege Escalation
Content
Pass `--base-url` explicitly when needed. For the API key, prefer `--api-key-file /path/to/key.txt`, or let the script prompt securely.

All scripts also support `--memory-file` and `--save-to-memory`. The default memory file is `~/.codex/memories/ragflow_credentials.json`.

Example memory file:
Confidence
97% confidence
Finding
credentials.json

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `PUT /api/v1/datasets/<dataset_id>/documents/<document_id>`
- `DELETE /api/v1/datasets/<dataset_id>/documents`
- `POST /api/v1/datasets/<dataset_id>/chunks`
- `DELETE /api/v1/datasets/<dataset_id>/chunks`
- `POST /api/v1/retrieval`
- `POST /api/v1/chunk/retrieval_test`
- `GET /v1/llm/my_llms`
Confidence
91% confidence
Finding
DELETE /api/v1/datasets/<dataset_id>/chunks`

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal