ClawHub

dpr_pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RAGFlow management helper that uses a configured RAGFlow API key to upload, search, update, and delete RAGFlow datasets and documents.

Install only if you trust the configured RAGFlow server and API key handling. Review the base URL before use, avoid uploading sensitive files unless that RAGFlow instance is approved for them, and keep the documented delete-confirmation workflow in place for datasets and documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'request_obj' from os.getenv (line 208, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
request_obj = urllib.request.Request(url, headers=headers, data=body, method=method)

    try:
        with urllib.request.urlopen(request_obj, timeout=HTTP_TIMEOUT) as response:
            return decode_json_response(response.read())
    except urllib.error.HTTPError as exc:
        body_bytes = exc.read()
Confidence
89% confidence
Finding
with urllib.request.urlopen(request_obj, timeout=HTTP_TIMEOUT) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly relies on environment variables, local file paths, and networked API calls, but it does not declare permissions or present capability boundaries. That creates a transparency and governance gap: a caller may invoke a skill that can read local files and transmit data to external services without an explicit permission model or informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The metadata describes dataset/document and retrieval operations, but the skill also enumerates configured LLM models through a separate endpoint. That mismatch can expose infrastructure details the user did not expect to reveal, including provider inventory and unavailable/internal model entries when expanded options are used.

Intent-Code Divergence

Low
Confidence
96% confidence
Finding
At line 57, `_build_payload` raises `ConfigError`, but that exception is not imported or defined in this file, while `main()` only handles `ScriptError`. If an empty dataset name is supplied, this likely becomes an unhandled `NameError` or otherwise bypasses the intended error-handling path, causing the script to crash unexpectedly instead of failing cleanly. In this dataset-ingestion context the issue is not directly exploitable for code execution, but it can be used to trigger a denial-of-service-style failure of the skill invocation and may expose stack traces or internal implementation details to callers.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs users to upload local files and perform API-backed retrieval, but it does not warn that document contents, filenames, and queries will be transmitted to a remote RAGFlow service. In a data-ingestion context, this omission increases the risk of users unintentionally sending sensitive local or proprietary information off-host.

VirusTotal

VirusTotal engine telemetry is currently malicious for this artifact.

View on VirusTotal