ClawHub

Local RAG

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local document search tool, but it creates a sensitive local index and query history that users should treat as private data.

Install only if you are comfortable with a local database containing indexed document text, embeddings, file paths, and a query history under ~/.local/share/local-rag. Review the allowed roots before indexing, avoid entering secrets as search queries, and delete or protect queries.log and the ChromaDB directory if the machine is shared or backed up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script silently initializes a Git repository inside the ChromaDB directory and commits index contents, creating an undocumented persistence and history layer. This can retain sensitive document-derived data longer than expected and expands the skill's side effects beyond ordinary indexing/search, increasing disclosure and recovery risks if the DB directory is accessed later.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script persistently logs user queries to ~/.local/share/local-rag/queries.log, including a truncated portion of the question, timestamp, result count, latency, and score. In a local document-search skill, queries often contain sensitive information about personal files, and this analytics collection is not necessary for core retrieval and is not disclosed in the stated purpose, creating a privacy and data-retention risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code writes persistent query analytics to disk that are unrelated to the essential search operation. Because this skill searches local files, user queries are especially likely to reveal confidential topics, filenames, or document contents, so storing them creates an avoidable secondary datastore of sensitive activity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow states that queries are recorded in `~/.local/share/local-rag/queries.log`, but the skill does not present this as a user-facing privacy warning. Search queries can contain sensitive facts, names, research topics, or legal/medical concerns, so silent persistent logging creates avoidable privacy risk on a local multi-user or backed-up system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes persistent ChromaDB storage for indexed local documents but does not clearly warn users that document content and derived searchable representations are stored on disk. Because the skill targets broad local document search across personal folders, this persistent index can expose sensitive document contents beyond the user's immediate expectation, especially if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The rollback function performs `git checkout -- .` and `git reset --hard` without confirmation, irreversibly discarding the current state of the ChromaDB working tree. Even if intended for recovery, this is destructive state manipulation that can cause data loss and makes failures harder to audit or recover from.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists parent document text and child chunk text into a local ChromaDB database without any explicit user-facing consent, warning, or minimization controls. In a local-RAG skill, this matters because users may reasonably think files are only searched transiently, while the implementation actually creates a durable searchable cache of document contents that can expose sensitive material to other local processes, backups, or later queries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function logs part of the raw query text to disk without any warning, consent, or visible disclosure to the user. Even though the text is truncated to 80 characters, that is still enough to capture secrets, health/financial topics, or excerpts of sensitive document content, and the local log file may later be read by other local users, backup systems, or malware.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal