ck-rag-skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill does what it says, but it bundles RAGFlow session credentials and reuses a shared conversation over plain HTTP, which creates credential and privacy risks.
Only install this if you trust the RAGFlow server and the skill owner. Treat the bundled token and cookie as exposed, avoid sending secrets in questions, and prefer a version that uses your own scoped credentials over HTTPS with a fresh conversation per task.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may unknowingly run queries under someone else's shared session, and anyone who can see the skill package can copy or abuse the exposed RAGFlow credentials.
The skill bundles a bearer-style token and session cookie directly in source code, giving every installer access to the same RAGFlow account/session rather than using user-scoped credentials.
AUTHORIZATION = "IjQxYThhZGYyMDZlYjExZjFhZDE1ODJkYzljOWQ1YmJmIg.aYvfEw.ElppYHks0F5ETowUlvqA1Th-XHE" COOKIE = "session=.elxVyzOegCAMAMC_dHagCgh8hIDaRleQyfh3jYmD4w13Qh5dWt4ZEizixBmNxgsbKkbknKkcxcy43siB/MyNqkb5CONuTR2yyWQKbarxVe7a9dNywRHnEaYvfEw66dir-0J0wYtii0IOGJ11861RtRtxp4"
Remove and rotate the exposed token and cookie. Use per-user environment variables, OAuth, or a scoped secret store, and declare the required credential in metadata.
Questions from different users or sessions could affect later answers, and sensitive details entered into one query may persist in the shared RAGFlow conversation context.
All queries reuse one fixed conversation identifier to preserve context, with no per-user reset, retention, or isolation controls shown.
# 固定的conversation_id,保持对话上下文 CONVERSATION_ID = "0e18393f0b6042f2bbf6b391c82835d1"
Generate a fresh conversation_id per user or task, provide a reset option, and warn users not to send secrets unless retention and access controls are clear.
User questions and the shared session token could be observed or modified by parties on the network path.
The script sends the user's question and bundled credentials to a RAGFlow API over plain HTTP, so the data and session material are not protected by TLS in the shown configuration.
API_URL = "http://172.28.20.46:30001/v1/conversation/completion"
headers = {
"Authorization": AUTHORIZATION,
"Content-Type": "application/json",
"Cookie": COOKIE
}
response = requests.post(API_URL, json=payload, headers=headers, stream=True, timeout=120)Use HTTPS or another authenticated encrypted channel, avoid sending session cookies over plaintext HTTP, and clearly disclose that user prompts are sent to this RAGFlow server.
If the knowledge-base answer is wrong or overly broad, a user could approve a command that changes their system, such as container operations.
The skill may translate retrieved knowledge-base guidance into executable commands, but it explicitly requires user confirmation before execution.
当API返回包含操作步骤时,转化为可执行的命令或明确指引 - 如果用户确认,使用exec工具执行
Show the exact command and expected impact before running it, and ask for explicit confirmation for destructive or privileged actions.