ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rag based on Google drive

v1.0.3

Use the Google Drive RAG CLI to search your synced personal documents, add tracking folders, or check the service account status.

0· 92·0 current·0 all-time
by@eladrave
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (RAG for Google Drive) align with the included cli.py which talks to a RAG service. However, the skill metadata declares no required environment variables or primary credential while the SKILL.md and cli.py clearly require API_URL and JWT_TOKEN at runtime. That metadata omission is an incoherence.
!
Instruction Scope
SKILL.md instructs the agent to create and use a ~/.agents/skills/driverag/.env file containing API_URL and JWT_TOKEN and to run the CLI from the skill directory and venv. It also tells the agent to automatically run renew-token on 401s and to update the .env file — giving the agent discretion to write credentials to disk. The CLI contacts an arbitrary API_URL provided by the user; if that URL is untrusted it will receive the JWT_TOKEN. These file- and credential-writing instructions broaden scope beyond a simple search helper and could enable inadvertent credential storage or exfiltration.
Install Mechanism
No install spec in registry (instruction-only), but SKILL.md asks to create a Python venv and pip install requirements.txt. requirements.txt is minimal (requests, python-dotenv). This is moderate/expected for a bundled Python CLI and does not itself look suspicious.
!
Credentials
The skill requires two sensitive environment values at runtime (API_URL and JWT_TOKEN) but the registry metadata lists none and no primary credential. Requiring a JWT and service endpoint is reasonable for a RAG service, but failing to declare them in metadata is a mismatch that reduces transparency. Additionally, SKILL.md directs storing JWT_TOKEN in a skill-local .env file and suggests automatically renewing/updating tokens — this increases the chance tokens are persisted and handled by the agent without clear user consent.
Persistence & Privilege
always:false (good). The skill instructs the agent to create files under ~/.agents/skills/driverag/ (venv and .env) and to run commands there; writing those files is normal for an instruction-only skill that includes a CLI, but it means the agent will hold persistent credentials in its skill directory if the user follows instructions. The ability to autonomously invoke renew-token combined with writing .env could let the agent update stored credentials — this is not blocked by skill metadata and should be considered by the user.
What to consider before installing
Key things to consider before installing: - Metadata mismatch: The skill actually requires API_URL and JWT_TOKEN (sensitive) but the registry metadata doesn’t declare them — ask the publisher why these were omitted. - Trust the endpoint: The API_URL is arbitrary. Only provide an API_URL you trust; if it points to a malicious server it will receive your JWT_TOKEN and any requests made by the CLI. - Minimize privileges: If you must supply a token, prefer a scoped service account or token with the minimum permissions, not a full Google account credential. - Be cautious storing secrets: The skill instructs you to store credentials in ~/.agents/skills/driverag/.env. Storing tokens in skill directories can lead to persistent exposure; consider using a secure secret manager instead and avoid leaving long-lived tokens there. - Renew-token behavior: SKILL.md suggests automatically running renew-token and updating .env. The CLI prints the new token but does not itself write .env — watch for whether the agent will write the file for you. Don’t let the agent silently persist new credentials without explicit consent. - Verify outputs and logs: The CLI prints tokens on renew; those could be captured in logs. If you proceed, rotate tokens afterward and audit logs. - Ask for clarifications: Request the publisher to (1) declare required env vars in metadata, (2) document what the remote API_URL represents (who runs it), and (3) avoid instructions that automatically persist credentials. Given these mismatches and the sensitive handling of credentials, treat the skill as suspicious until the above issues are resolved or you can supply minimal, revocable credentials and a trusted API endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk971t6pxvdhfqczwpc30px4y3584asxr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments