ClawHub

ck-rag-skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised RAGFlow Q&A job, but it ships reusable API credentials and shared conversation state that users should review before installing.

Review before installing. Only use this skill if you trust the publisher and the RAGFlow server, rotate or replace the embedded token and cookie, avoid sensitive prompts until transport and retention are clarified, and inspect any suggested system command before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill invokes both network access and shell commands but does not declare those capabilities, which weakens permission transparency and can bypass policy review or user expectations. In this context, the skill is explicitly designed to reach an internal API and recommend command execution, so undeclared capabilities materially increase operational risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond benign knowledge-base querying by relying on hardcoded authentication material, performing diagnostics, and reusing a fixed conversation ID across runs. That combination creates credential exposure risk, expands the skill's effective attack surface, and may leak or mix user context between unrelated sessions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Embedding and instructing the use of hardcoded API credentials is a direct secret-handling flaw. If the skill file or script is exposed, copied, logged, or reused, attackers can access the backend service and potentially retrieve sensitive knowledge-base data or abuse the service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hard-codes a bearer-like authorization token and a session cookie directly in source, which exposes reusable credentials to anyone with code access and enables unauthorized access to the backing RAGFlow service. This is especially risky because the skill’s stated purpose is ordinary knowledge-base querying, so embedding long-lived secrets is unnecessary and creates clear credential leakage and abuse risk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Using a fixed conversation_id causes all users and invocations to share the same remote conversation state, which can leak prior prompts, answers, references, or hidden context across sessions. In a support or operations setting, that creates cross-user data exposure and prompt-context contamination rather than isolated Q&A behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes sensitive authentication material, including what appears to be an authorization token, a session cookie, and a conversation identifier. Embedding live credentials in source code is dangerous because anyone with file access can reuse them to impersonate the client, access backend data, or interact with the API outside intended controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation gives destructive remediation advice such as deleting and recreating containers without requiring verification, backup, or user confirmation. In an operations context, that can directly cause service disruption, data loss, or accidental destruction if an agent follows the guidance mechanically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs using an execution tool for system commands without an explicit safety gate, effect warning, or confirmation requirement. Because the skill operates in troubleshooting and admin contexts, this can translate untrusted or incomplete KB advice into real system changes, increasing the chance of harmful command execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits user-supplied questions and attached conversation context to a remote service without explicit disclosure, confirmation, or data handling notice. Users may unknowingly send sensitive operational, system, or incident details to an internal endpoint, creating confidentiality and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal