Ragie.ai-RAG
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Ragie.ai RAG integration with no hidden malicious behavior evident, but it needs a Ragie API key and sends/manages documents and queries in Ragie.
Use this skill only if you intend to use Ragie.ai as a cloud knowledge base. Set RAGIE_API_KEY deliberately, avoid ingesting secrets or regulated data unless Ragie is approved for that use, scope data with partitions or filters, and verify document IDs before deletion. Because the registry metadata under-declares requirements and the source is listed as unknown, review the included scripts and setup manually before installing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installer or registry page may not warn users about the real setup requirements before use.
The registry-level metadata/provenance does not declare the API key, Python binary, or Python packages that SKILL.md and the scripts require. This is a setup/provenance notice rather than hidden behavior because the requirements are disclosed in the skill text and code.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none; No install spec — this is an instruction-only skill.
Review the included scripts, install dependencies intentionally in a controlled environment, and verify the publisher/source before providing a Ragie API key.
Anyone who can run the skill with this environment variable can perform the Ragie operations allowed by that key.
The helper reads a local Ragie API key and sends it as a bearer token for API calls, giving the skill delegated access to the user's Ragie account.
key = os.getenv("RAGIE_API_KEY") ... "Authorization": f"Bearer {key}"Use a dedicated or least-privilege Ragie key if available, keep it out of transcripts and committed files, and rotate it if exposure is suspected.
Sensitive documents, URLs, queries, and retrieved chunks may be stored or processed by Ragie and reused in future answers.
A user-selected local file is uploaded to Ragie for document ingestion. This is expected for RAG, but it can move private content into a persistent cloud index that later influences answers.
API_BASE = "https://api.ragie.ai" ... requests.post(f"{API_BASE}/documents", headers=headers, files=files, data=data)Only ingest documents you are allowed to send to Ragie, use partitions/filters to scope retrieval, avoid secrets unless approved, and delete documents that should no longer be indexed.
Deleting the wrong document ID could remove content from the Ragie knowledge base.
The management helper can delete a Ragie document. The confirmation prompt makes it user-controlled and purpose-aligned, but deletion is still a mutating operation users should verify.
confirm = input(f"Delete document {doc_id}? [y/N] ") ... requests.delete(f"{API_BASE}/documents/{doc_id}", headers=get_headers())Confirm document IDs and names before deletion, and keep backups or source copies of important documents.