ClawHub

RAGFlow Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RAGFlow administration skill that needs sensitive credentials and can change or delete RAGFlow resources, but the reviewed artifacts fit that purpose and show no hidden exfiltration or deceptive behavior.

Install only if you intend to let the agent administer a RAGFlow deployment. Use a least-privilege API key, prefer HTTPS, confirm destructive operations, restrict webhook and browser-enabled agents before production use, and treat raw token/embed output as secret material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
74% confidence
Finding
The guide documents a Browser automation component that expands expected agent capabilities beyond the declared skill scope. In a security-sensitive agent ecosystem, undocumented or out-of-scope browser automation can encourage workflows that fetch live web content or interact with external sites, increasing SSRF, data exfiltration, and unintended action risks if the underlying runtime supports it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The agent is explicitly instructed to use a retrieval tool for 'private knowledge' but the user-facing flow only presents a generic prologue and does not disclose that private dataset content may be queried and surfaced. In a RAGFlow management skill, this increases the risk of users unknowingly causing sensitive internal knowledge to be retrieved into model responses, especially if dataset access controls are misconfigured or broader than the user expects.

Vague Triggers

Medium
Confidence
93% confidence
Finding
This webhook is intentionally exposed without authentication and is triggered by any POST request containing a single string field, which makes it easy for arbitrary external parties to invoke. In this example the downstream action only emits a message, so the immediate impact is limited, but in a real deployment this broad unauthenticated trigger could enable spam, abuse, event injection, or unexpected workflow execution.

Missing User Warnings

High
Confidence
89% confidence
Finding
The system token listing and creation commands print the full API response directly to stdout, which likely includes sensitive embed/system tokens. In CLI environments, stdout is often logged, stored in shell history wrappers, CI artifacts, or captured by other tools, so this can unintentionally disclose credentials that grant access to embedded chat/agent functionality.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script performs a real remote deletion by calling `client.deleteChunks(...)` against a live RAGFlow dataset that it creates, but it provides no interactive confirmation, dry-run mode, or explicit safety guard before issuing the destructive API call. In a skill intended to operate RAGFlow deployments, that behavior is more dangerous because users may run bundled scripts in trusted environments against production servers, and a mistaken target configuration or credential context could delete data without adequate warning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal