Back to skill

Security audit

LightRAG Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate shared-memory setup, but it broadly indexes private agent files into a persistent cross-agent graph with weak scoping and review controls.

Install only if you intentionally want a shared, persistent memory service across agents. Before using it, pin the Docker image, protect API keys, disable cron until reviewed, use explicit file allowlists, redact secrets and personal data, decide which agents may read and write, and document how to remove mistakenly indexed data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The ingestion commands bulk-read SOUL.md, USER.md, and all memory files across multiple workspaces, which can sweep up far more sensitive data than necessary for retrieval purposes. Because the graph is backed by external LLM/embedding providers, this creates a real risk of broad cross-agent data exposure and unnecessary transmission of confidential workspace contents.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The skill warns users not to index secrets, but then immediately provides commands that indiscriminately ingest full profile and memory files. That contradiction is dangerous because operators are likely to follow the automation as written, causing credentials, tokens, or sensitive notes embedded in those files to be sent into the graph and downstream model providers.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The bulk-indexing section encourages sending large amounts of cross-agent content into LightRAG without placing a clear warning beside those commands that the data may be processed by external LLM and embedding APIs. Users could reasonably treat this as local-only indexing because the immediate commands read local files, while the actual architecture forwards content off-host to third parties.

External Transmission

Medium
Category
Data Exfiltration
Content
KEY = "your-secure-api-key"

def insert(text, description="manual insert"):
    r = requests.post(f"{API}/documents/text",
        headers={"Authorization": f"Bearer {KEY}", "Content-Type": "application/json"},
        json={"text": text, "description": description},
        timeout=120)
Confidence
95% confidence
Finding
requests.post(f"{API}/documents/text", headers={"Authorization": f"Bearer {KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
# LLM (for graph construction and queries)
LLM_BINDING=openai
LLM_MODEL=gpt-4.1-nano
LLM_BINDING_HOST=https://api.openai.com/v1
LLM_BINDING_API_KEY=sk-your-api-key

# Embeddings (for vector search)
Confidence
99% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
EMBEDDING_BINDING=openai
EMBEDDING_MODEL=text-embedding-3-small
EMBEDDING_DIM=1536
EMBEDDING_BINDING_HOST=https://api.openai.com/v1
EMBEDDING_BINDING_API_KEY=sk-your-api-key

# Performance
Confidence
99% confidence
Finding
https://api.openai.com/

Session Persistence

Medium
Category
Rogue Agent
Content
## Step 6: Auto-Index New Daily Logs (Optional)

Create a cron job to index new daily logs automatically:

```bash
#!/bin/bash
Confidence
93% confidence
Finding
Create a cron job to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.