Skillv1.0.0

ClawScan security

ck-rag-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:47 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill matches its stated purpose (querying an on-prem RAGFlow knowledge API) but contains hard-coded credentials, internal IP addresses, and path assumptions that are disproportionate and risky.
Guidance: This skill appears to do what it says (query an internal RAGFlow knowledge base), but it contains hard-coded secrets and assumptions you should not accept lightly. Before installing or running it: 1) Do NOT run the scripts as-is if the embedded token/cookie belong to someone else — those look like real credentials and should be considered sensitive. 2) Prefer the skill be changed to read Authorization and Cookie from environment variables or a secure secrets store (do not embed secrets in code). 3) Confirm the API host (172.28.20.46) is a trusted internal service you want this agent to contact. 4) Remove or update absolute paths so scripts run in your environment (avoid executing code that assumes /home/onestack). 5) Audit and rotate any exposed tokens if they were leaked. 6) Be cautious when allowing the agent to execute commands suggested by the KB — verify commands before consenting to run them. If you cannot confirm the provenance of the embedded token and the intended internal host, treat this skill as untrusted and either sanitize the code (replace hard-coded secrets with env vars) or avoid installing it.
Findings: [hardcoded_credentials_in_code] unexpected: The Python scripts contain literal Authorization and Cookie values. An API key/session token is expected for the skill's purpose, but hard-coding them into source files (and into a published skill) is unsafe and was not declared in the skill metadata as a required credential. [internal_ip_endpoint] expected: The API URL uses a private/internal IP (172.28.20.46:30001). This is consistent with an on-prem/enterprise RAGFlow deployment, but it means the skill depends on access to internal network resources and may leak requests to an internal host if deployed broadly. [absolute_user_paths] unexpected: SKILL.md and scripts reference an absolute path (/home/onestack/.openclaw/workspace/...), which assumes a specific runtime layout and user account. That reduces portability and may cause accidental execution in unexpected contexts.

Review Dimensions

Purpose & Capability: concernThe skill's functionality (querying a RAGFlow KB) aligns with its name and description, but the package includes a hard-coded Authorization token and session cookie and targets an internal IP (http://172.28.20.46:30001). The skill metadata declares no required env vars or credentials, yet the code embeds secrets and assumes specific local filesystem paths (e.g., /home/onestack/.openclaw/workspace/...). This mismatch between declared requirements and actual embedded requirements is concerning.
Instruction Scope: concernSKILL.md instructs the agent/operator to run the included scripts and even to extract Authorization and Cookie from browser developer tools and paste them into the script. It also directs use of exec tools to run commands if the knowledge base suggests them. While invoking commands can be appropriate for an ops helper, the guide encourages manual insertion of credentials into source files and references absolute paths tightly coupled to a particular environment — expanding the skill's scope to handling secrets and local system state in an unsafe way.
Install Mechanism: noteThere is no install spec (instruction-only) which reduces supply-chain risk. However, the bundle includes executable scripts that will run network calls and expect Python dependencies (requests). No third‑party downloads or extraction steps are present.
Credentials: concernAlthough the registry metadata lists no required environment variables or primary credential, the code contains hard-coded Authorization and Cookie values (secrets) and a fixed conversation_id. Requesting/including credentials directly in code is disproportionate and poor practice. The API endpoint is an internal IP, so the skill effectively requires network access to internal infrastructure; that privilege is not declared.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global agent settings. It does instruct editing its own script to change tokens, but it does not request persistent system-wide privileges in its manifest.