ClawHub

Zvec Local RAG Service

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local RAG service, but it needs review because its long-running local API can index and later reveal text from any caller-selected directory without authentication or an allowlist.

Install only if you are comfortable running a persistent local HTTP service. Keep it bound to 127.0.0.1, do not enable non-loopback hosting or remote Ollama unless the machine and network are controlled, and ingest only directories you intend to make searchable. Treat the index as retained local data, and remember the provided ingest command rebuilds the existing vector database by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill explicitly instructs the user to run shell scripts and install/start a local service, but it declares no permissions despite requiring shell-capable operations. This creates a trust and review gap: an agent or reviewer may underestimate the skill's ability to execute system commands, install dependencies, and modify local state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The /ingest endpoint accepts an arbitrary directory from the request body, recursively reads all .txt/.md files under that path, and by default resets and overwrites the existing vector database. There is no authentication, authorization, path allowlist, or confirmation guard, so any client that can reach the service can trigger destructive reindexing of attacker-chosen local content and cause loss of the prior index or unintended ingestion of sensitive files from accessible directories.

Session Persistence

Medium
Category
Rogue Agent
Content
# 3) verify health
scripts/manage.sh health

# 4) create tiny test corpus
mkdir -p ./docs
cat > ./docs/sample.md <<'EOF'
Zvec + Ollama enables local semantic search.
Confidence
76% confidence
Finding
create tiny test corpus mkdir -p ./docs cat > ./docs/sample.md <<'EOF' Zvec + Ollama enables local semantic search. EOF # 5) ingest + query scripts/manage.sh ingest ./docs scripts/manage.sh search "l

Session Persistence

Medium
Category
Rogue Agent
Content
- `scripts/rag-service.mjs` → HTTP service implementation
- `scripts/manage.sh` → bootstrap/start/stop/restart/health/ingest/search
- `references/launchd.plist.template` → macOS LaunchAgent template

## Prerequisites
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
scripts/manage.sh bootstrap
scripts/manage.sh install-launchd   # writes plist, inspect once
scripts/manage.sh start
scripts/manage.sh health
```
Confidence
96% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
scripts/manage.sh uninstall-launchd
```

Always inspect generated plist before enabling persistence:
- `~/Library/LaunchAgents/com.openclaw.zvec-rag-service.plist`

## Config via env vars
Confidence
94% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```

Always inspect generated plist before enabling persistence:
- `~/Library/LaunchAgents/com.openclaw.zvec-rag-service.plist`

## Config via env vars
Confidence
94% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal