Back to skill
Skillv1.0.0
VirusTotal security
ck-rag-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:46 AM
- Hash
- 13d0763231a9d50def8af01d352c37ae6790d65120284482d2d7ada23b91d91d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ck-rag-skill Version: 1.0.0 The skill is suspicious due to critical vulnerabilities, primarily the high risk of shell injection (RCE) and hardcoded credentials. The `SKILL.md` and `TROUBLESHOOTING.md` instruct the OpenClaw agent to execute shell commands by directly embedding user input (e.g., `python3 ... "用户的问题"`), which is highly susceptible to shell injection if the agent's execution environment lacks proper input sanitization. Additionally, API authorization tokens and session cookies are hardcoded in `scripts/query_ragflow.py` and `scripts/quick_test.py`, exposing sensitive credentials. While there's no evidence of intentional malicious activity like external data exfiltration, these vulnerabilities present a significant security risk.
- External report
- View on VirusTotal