ClawHub
Back to skill

Security audit

local-rag-builder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local RAG tool, but its web control panel and file/model management expose too much unauthenticated local control for automatic installation.

Install only if you are comfortable with a local RAG tool that can install Python packages, download models, write persistent data, and send retrieved context to a configured LLM in standalone mode. Run it in an isolated virtual environment, keep the web UI bound to localhost or behind a trusted firewall, avoid exposing its port to a network, and review any model IDs, package mirrors, and deletion actions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
os.makedirs(LOG_DIR, exist_ok=True)

    try:
        proc = subprocess.Popen(
            cmd,
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT,
Confidence
85% confidence
Finding
proc = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, bufsize=1, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares `sensitive_access: true` and clearly documents capabilities that perform environment inspection, dependency installation, model downloads, shell-style execution, and writes into local data directories, yet the finding indicates these capabilities are not formally declared in the permission model. That mismatch is dangerous because users and any enforcement layer may underestimate what the skill can do, especially since it can modify the Python environment and fetch remote artifacts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Deletion trusts the filesystem path stored in `kb_index.json` and passes it directly to `shutil.rmtree()`. If that index file is tampered with, deleting a knowledge base could recursively remove arbitrary directories outside the intended `KB_DIR`, which is especially dangerous in a local automation tool that manages persistent files.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The handler unconditionally sets `Access-Control-Allow-Origin: *` for JSON API responses while the server binds on all interfaces (`TCPServer(("", port), ...)`) and exposes sensitive administrative endpoints that change configuration, trigger downloads, and rebuild state. A malicious website visited by a user on the same machine or network could issue cross-origin requests to the local service and remotely reconfigure or operate the RAG instance without authentication.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The UI exposes endpoints such as `/api/verify-llm` and `/api/recommend` that cause the local service to make outbound network requests to configured LLM endpoints. Combined with the unauthenticated local admin surface, this can be abused as a limited SSRF/network pivot or to leak metadata about reachable internal services and trigger unintended external communications.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`FallbackRouter.score()` assumes each KB signature value is a string, but `update_kb_signature()` persists each signature as a metadata dict containing `signature`, `updated_at`, and `auto_updated`. When `route_query()` loads those persisted signatures and passes them directly into fallback routing, the tokenizer receives dicts instead of strings, causing type errors and silently forcing the system into broadcast mode via exception handling. In a local RAG router, this can reliably disable intended routing and broaden retrieval scope, increasing accidental data exposure across knowledge bases.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad, generic RAG-related terms that can match normal user conversation rather than an explicit request to invoke this skill. In an agent environment, this increases the chance of unintended activation, which can cause the skill to take over unrelated conversations or perform configuration/build actions the user did not clearly request.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples instruct users to download an external embedding model and use an external LLM, but do not clearly disclose that network access and potential data transmission may occur. In a local-RAG skill, users may reasonably expect local processing, so missing disclosure can lead to unintended outbound connections or sensitive query/document leakage to third parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The specification explicitly requires automatic package installation during environment repair, but provides no requirement for prior user consent, package allowlisting, or clear disclosure of what will be installed. In an agent skill, this creates a real security boundary issue because executing package installs can change the host environment, introduce unreviewed code, and trigger network activity unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The model download phase mandates fetching embedding, router, and reranker models but does not require notifying the user about network access, download size, remote sources, or integrity verification. This is dangerous because it can cause silent outbound connections, unexpected bandwidth/storage use, and supply-chain exposure if models are retrieved from untrusted or mutable sources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spec instructs the agent to create knowledge-base directories, write configuration files, and possibly create prompt templates, yet it does not require user approval, path restrictions, or disclosure of where files will be written. In a local setup skill, silent filesystem modification is a genuine risk because it can overwrite existing data, persist unintended configuration, or write into sensitive locations if path handling is weak elsewhere in the system.

Missing User Warnings

High
Confidence
95% confidence
Finding
The delete_knowledge_base function calls shutil.rmtree on the stored knowledge-base path, which is a destructive and irreversible file deletion operation. Although the CLI prints the result afterward, there is no prior confirmation prompt or warning before the deletion executes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function builds a prompt from the user's question and retrieved knowledge-base context, then sends it to an external LLM endpoint via llm_instance.invoke(prompt) without an explicit warning or consent check at the moment of transmission. In a RAG system, retrieved context may contain sensitive local documents, so this can unintentionally disclose private data to a remote or misconfigured service, especially because base_url is configurable and not guaranteed to be strictly local.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The raw configuration overwrite endpoint accepts arbitrary JSON and persists it directly, with no authentication, schema validation, or authorization checks. In this file's context, that turns any reachable caller into a full configuration administrator and can be chained with the exposed cross-origin/local network surface to alter runtime behavior persistently.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The model download endpoint allows any caller to initiate background downloads and filesystem writes, consuming bandwidth, disk, CPU, and potentially introducing untrusted model artifacts into the environment. Because the server lacks authentication and is remotely triggerable from the web UI surface, this becomes a practical abuse vector for resource exhaustion and unwanted network activity.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def _download_with_hf_mirror(model_id, cache_dir):
    """使用 HuggingFace 镜像下载"""
    env = os.environ.copy()
    env["HF_ENDPOINT"] = "https://hf-mirror.com"
    env["HF_HUB_DISABLE_PROGRESS_BARS"] = "1"  # 关闭 tqdm 进度条,避免 \r 导致管道阻塞
    script = f"""
Confidence
60% confidence
Finding
os.environ.copy()

Unvalidated Output Injection

High
Category
Output Handling
Content
PYTHON = "python"

# 检测环境
result = subprocess.run(
    [PYTHON, f"{SKILL_DIR}/scripts/rag_env_setup.py", "--json"],
    capture_output=True, text=True
)
Confidence
26% confidence
Finding
subprocess.run( [PYTHON, f"{SKILL_DIR}/scripts/rag_env_setup.py", "--json"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
env_report = json.loads(result.stdout)

# 嵌入模型列表
result = subprocess.run(
    [PYTHON, f"{SKILL_DIR}/scripts/embedding_model_manager.py", "--list", "--json"],
    capture_output=True, text=True
)
Confidence
26% confidence
Finding
subprocess.run( [PYTHON, f"{SKILL_DIR}/scripts/embedding_model_manager.py", "--list", "--json"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
models = json.loads(result.stdout)

# [技能模式] 纯检索(不依赖 LLM)
result = subprocess.run(
    [PYTHON, f"{SKILL_DIR}/scripts/rag_skill.py",
     "--query", "什么是 RAG?", "--json"],
    capture_output=True, text=True
Confidence
26% confidence
Finding
subprocess.run( [PYTHON, f"{SKILL_DIR}/scripts/rag_skill.py", "--query", "什么是 RAG?", "--json"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
context = data["context"]  # 智能体根据 context 自行回答

# [独立模式] 全链路问答
result = subprocess.run(
    [PYTHON, f"{SKILL_DIR}/scripts/rag_standalone.py",
     "--query", "什么是 RAG?", "--json"],
    capture_output=True, text=True
Confidence
26% confidence
Finding
subprocess.run( [PYTHON, f"{SKILL_DIR}/scripts/rag_standalone.py", "--query", "什么是 RAG?", "--json"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
"returncode": proc.returncode,
            }
        else:
            result = subprocess.run(
                cmd, capture_output=False, text=True, timeout=timeout
            )
            return {
Confidence
95% confidence
Finding
subprocess.run( cmd, capture_output

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal