ClawHub

LiteRAG

Security checks across malware telemetry and agentic risk

Overview

LiteRAG is a coherent documentation indexing and search skill; the main caution is that vector mode sends document chunks and queries to the configured embedding endpoint.

Before installing, inspect .literag/knowledge-libs.json. Only include paths you intend to index, and make sure embedding.baseUrl points to a trusted local or remote endpoint because document chunks and search queries may be sent there when vector retrieval is enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior and install/usage flow clearly require environment access, file reads, shell execution, and likely network access for package installation and embedding backends. This creates a capability transparency gap: operators and policy engines may allow the skill under the assumption it is low-privilege, while it can actually execute commands against workspace files and external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code advertises a local SQLite retrieval workflow, but the configuration explicitly includes an embedding base URL and model, and later code submits document chunks and user queries to that endpoint. This creates a data-flow mismatch: operators may assume documents stay local when indexed content can be transmitted over HTTP to another service, potentially exposing sensitive documentation or prompts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The configuration supports an embedding API key and remote endpoint despite the skill being framed as local documentation retrieval. That means both credential material and documentation/query content may be sent to a network service without clear role justification, increasing the risk of unintended disclosure or trust-boundary violations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The instruction to translate natural-language requests into the 'nearest supported operation' is broad enough to trigger indexing, metadata inspection, or file inspection without the user issuing an explicit command. In a skill that can read workspace configuration, inspect arbitrary indexed paths, and run indexing workflows, overly permissive invocation mapping increases the chance of unintended sensitive file access or expensive side effects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The embedding request routine sends indexed text content to an HTTP embeddings endpoint, and search mode also embeds raw user queries. There is no visible consent prompt, policy gate, or user-facing warning at the point of transmission, so sensitive internal docs or queries could be exfiltrated to an unintended remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code loads an embedding API key from configuration and later places it into an Authorization header for outbound requests. Without clear disclosure and scoping, users may unknowingly provide credentials to a component they believe is purely local, expanding the blast radius if the config, endpoint, or traffic path is compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal