Ragie.ai-RAG
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ragie-rag Version: 1.0.2 The skill bundle is classified as suspicious due to significant vulnerabilities related to input handling and arbitrary file access, despite lacking explicit malicious intent. The `SKILL.md` instructs the AI agent to execute shell commands with arguments derived from user input (e.g., `--file`, `--url`, `--name`, `--query`), which creates a shell injection risk if the agent does not properly sanitize these inputs. Furthermore, `scripts/ingest.py` allows ingesting arbitrary local files or URLs via the `--file` and `--url` arguments. This could be exploited by a compromised agent to exfiltrate sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to the legitimate Ragie.ai service, which constitutes an unauthorized data exposure risk. No direct malicious code (e.g., unauthorized exfiltration to third-party domains, backdoors, persistence) was found, and `SKILL.md` even includes instructions to prevent data leakage.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installer or registry page may not warn users about the real setup requirements before use.
The registry-level metadata/provenance does not declare the API key, Python binary, or Python packages that SKILL.md and the scripts require. This is a setup/provenance notice rather than hidden behavior because the requirements are disclosed in the skill text and code.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none; No install spec — this is an instruction-only skill.
Review the included scripts, install dependencies intentionally in a controlled environment, and verify the publisher/source before providing a Ragie API key.
Anyone who can run the skill with this environment variable can perform the Ragie operations allowed by that key.
The helper reads a local Ragie API key and sends it as a bearer token for API calls, giving the skill delegated access to the user's Ragie account.
key = os.getenv("RAGIE_API_KEY") ... "Authorization": f"Bearer {key}"Use a dedicated or least-privilege Ragie key if available, keep it out of transcripts and committed files, and rotate it if exposure is suspected.
Sensitive documents, URLs, queries, and retrieved chunks may be stored or processed by Ragie and reused in future answers.
A user-selected local file is uploaded to Ragie for document ingestion. This is expected for RAG, but it can move private content into a persistent cloud index that later influences answers.
API_BASE = "https://api.ragie.ai" ... requests.post(f"{API_BASE}/documents", headers=headers, files=files, data=data)Only ingest documents you are allowed to send to Ragie, use partitions/filters to scope retrieval, avoid secrets unless approved, and delete documents that should no longer be indexed.
Deleting the wrong document ID could remove content from the Ragie knowledge base.
The management helper can delete a Ragie document. The confirmation prompt makes it user-controlled and purpose-aligned, but deletion is still a mutating operation users should verify.
confirm = input(f"Delete document {doc_id}? [y/N] ") ... requests.delete(f"{API_BASE}/documents/{doc_id}", headers=get_headers())Confirm document IDs and names before deletion, and keep backups or source copies of important documents.