ClawHub

ragflow-skill-python

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RAGFlow management skill, with expected API access, file uploads, and deletion controls that users should handle carefully.

Install only if you trust the configured RAGFlow server and can protect RAGFLOW_API_KEY. Upload only files you intend to send to that server, and double-check dataset or document IDs before confirming deletion because the scripts perform API deletes immediately once invoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares access to sensitive environment variables and invokes bundled scripts that imply filesystem reads and outbound API communication, but it does not declare explicit permissions or present a clear trust boundary for those capabilities. This creates a transparency and governance gap: operators and users may not realize the skill can read local files and transmit data to an external RAGFlow service using an API key.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises create, update, delete, upload, parse, and retrieval operations against an external RAGFlow service without warning that these actions can transmit user data, document contents, queries, and metadata off-system. In a data-ingestion and search skill, that omission is particularly risky because users may unknowingly expose sensitive files or search terms to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The delete command performs a destructive API action immediately from a parsed --ids argument with no interactive confirmation, dry-run mode, or explicit force gate. In an agent/tooling context, this increases the chance of accidental or prompt-induced mass deletion of datasets, especially since the interface accepts multiple IDs at once and is designed for automation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal