ClawHub

Ragflow Workbench 1.0.0 En

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for managing a local RAGFlow instance, but it stores and prints sensitive admin/API credentials with weak disclosure and no local file hardening.

Install only if you are comfortable with this skill creating or using a RAGFlow admin account and storing secrets locally. Before use, change the default admin password, keep .env out of source control and screenshots, restrict its permissions where possible, and prefer HTTPS or strictly local-only HTTP for any credential-bearing setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly states that an API token will be written to a local `.env` file, but it does not warn that this file contains sensitive credentials or advise users to prevent it from being committed, shared, or left with overly broad filesystem permissions. In a quickstart context, users commonly copy commands verbatim, so this can lead to credential exposure through source control, backups, screenshots, or multi-user systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes highly sensitive material, including the admin password and API key, into a .env file without warning, confirmation, or permission hardening. In an agent-skill context, such files are often left in working directories, committed accidentally, or exposed to other local processes/users, enabling credential theft and full administrative compromise of the RAGFlow instance.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The default base URL uses plain HTTP (http://127.0.0.1:9380), so administrator credentials and token operations are transmitted without transport encryption by default. Even if localhost reduces remote exposure, containerized, proxied, forwarded, or misconfigured deployments can expose this traffic to interception or redirection, and the script provides no warning that sensitive bootstrap operations are occurring over an insecure channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal