Zvec Local RAG Service

Type: OpenClaw Skill Name: zvec-local-rag-service Version: 1.0.3 The skill is classified as suspicious due to critical vulnerabilities. The `scripts/manage.sh` file is vulnerable to shell injection in its `ingest` and `search` commands, as user-supplied arguments are unsafely interpolated into `printf` strings used to construct `curl` commands. Additionally, the `scripts/rag-service.mjs` file contains a path traversal vulnerability in its `/ingest` endpoint, allowing an attacker to specify arbitrary directories (e.g., `../../../../etc`) to read and embed sensitive system files into the RAG index. While the service implements secure defaults for network binding, these input validation flaws pose significant risks for arbitrary command execution and data exposure.