ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ck-rag-skill

v1.0.0

RAGFlow知识库问答与操作指导。调用RAGFlow知识库API进行智能问答,并基于知识库返回结果提供agent操作建议。支持流式输出,耐心等待完整响应生成。当用户提出技术问题、故障排查、操作指导或需要知识库检索时触发此技能。适用于容器/Docker问题、系统运维、开发相关问题等场景。

0· 973·1 current·1 all-time
by@chenkun-nuaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's functionality (querying a RAGFlow KB) aligns with its name and description, but the package includes a hard-coded Authorization token and session cookie and targets an internal IP (http://172.28.20.46:30001). The skill metadata declares no required env vars or credentials, yet the code embeds secrets and assumes specific local filesystem paths (e.g., /home/onestack/.openclaw/workspace/...). This mismatch between declared requirements and actual embedded requirements is concerning.
!
Instruction Scope
SKILL.md instructs the agent/operator to run the included scripts and even to extract Authorization and Cookie from browser developer tools and paste them into the script. It also directs use of exec tools to run commands if the knowledge base suggests them. While invoking commands can be appropriate for an ops helper, the guide encourages manual insertion of credentials into source files and references absolute paths tightly coupled to a particular environment — expanding the skill's scope to handling secrets and local system state in an unsafe way.
Install Mechanism
There is no install spec (instruction-only) which reduces supply-chain risk. However, the bundle includes executable scripts that will run network calls and expect Python dependencies (requests). No third‑party downloads or extraction steps are present.
!
Credentials
Although the registry metadata lists no required environment variables or primary credential, the code contains hard-coded Authorization and Cookie values (secrets) and a fixed conversation_id. Requesting/including credentials directly in code is disproportionate and poor practice. The API endpoint is an internal IP, so the skill effectively requires network access to internal infrastructure; that privilege is not declared.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It does instruct editing its own script to change tokens, but it does not request persistent system-wide privileges in its manifest.
Scan Findings in Context
[hardcoded_credentials_in_code] unexpected: The Python scripts contain literal Authorization and Cookie values. An API key/session token is expected for the skill's purpose, but hard-coding them into source files (and into a published skill) is unsafe and was not declared in the skill metadata as a required credential.
[internal_ip_endpoint] expected: The API URL uses a private/internal IP (172.28.20.46:30001). This is consistent with an on-prem/enterprise RAGFlow deployment, but it means the skill depends on access to internal network resources and may leak requests to an internal host if deployed broadly.
[absolute_user_paths] unexpected: SKILL.md and scripts reference an absolute path (/home/onestack/.openclaw/workspace/...), which assumes a specific runtime layout and user account. That reduces portability and may cause accidental execution in unexpected contexts.
What to consider before installing
This skill appears to do what it says (query an internal RAGFlow knowledge base), but it contains hard-coded secrets and assumptions you should not accept lightly. Before installing or running it: 1) Do NOT run the scripts as-is if the embedded token/cookie belong to someone else — those look like real credentials and should be considered sensitive. 2) Prefer the skill be changed to read Authorization and Cookie from environment variables or a secure secrets store (do not embed secrets in code). 3) Confirm the API host (172.28.20.46) is a trusted internal service you want this agent to contact. 4) Remove or update absolute paths so scripts run in your environment (avoid executing code that assumes /home/onestack). 5) Audit and rotate any exposed tokens if they were leaked. 6) Be cautious when allowing the agent to execute commands suggested by the KB — verify commands before consenting to run them. If you cannot confirm the provenance of the embedded token and the intended internal host, treat this skill as untrusted and either sanitize the code (replace hard-coded secrets with env vars) or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97av7advrcpfh7cehzxeggwbn80ywdh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments