个人知识库
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: personal-knowledge-base Version: 1.0.0 The skill bundle implements a functional RAG (Retrieval-Augmented Generation) system using FAISS and ZhipuAI, but contains significant security vulnerabilities. Specifically, 'scripts/knowledge_base_manager.py' uses the 'pickle' module for data persistence of vector metadata and indices, which is susceptible to Remote Code Execution (RCE) if the storage files are tampered with. Furthermore, the script handles file operations and directory creation based on user-supplied knowledge base names without robust path sanitization, creating a potential path traversal risk. While these appear to be unintentional architectural flaws rather than intentional malice, the combination of insecure deserialization and broad file system access warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A ZhipuAI API key placed in config.txt could be revealed in local logs or chat/runtime output, letting someone else use the user’s provider account if they can see those logs.
The documentation allows storing the provider API key in config.txt, and the loader stores arbitrary config keys then logs the full config at INFO level. If a user uses the documented config-file API key method, the key may be exposed in logs.
SKILL.md: `ZHIPUAI_API_KEY=your-api-key-here`; script: `config[key] = value` ... `logger.info(f"配置加载成功: {config}")`Use the environment-variable method rather than config.txt, and the skill author should redact secrets before logging or avoid logging the full config.
Private documents imported into the knowledge base may remain stored locally and relevant excerpts may be sent to ZhipuAI during embedding or answering.
The skill persistently stores original files and vector metadata, then reuses retrieved document chunks for later answers and sends relevant content to the LLM provider.
`Skill 会将文件复制到知识库的 sourcefiles 目录,然后自动将文件内容分割为文本块,生成向量并存储到 vectordb 目录` ... `Send relevant content and question to LLM for answer`
Only import files you are comfortable storing in the configured workspace and processing with the external AI provider; delete files from the knowledge base when no longer needed.
A user-requested delete operation removes the knowledge-base copy of a file and its searchable vectors, so the content will no longer be retrievable through the skill.
The skill can delete stored source files and their vectorized chunks as part of the documented knowledge-base deletion workflow.
`删除向量库中该文件相关的所有文本块` ... `删除sourcefiles目录下的原始文件`
Confirm the target knowledge base and filename before asking the agent to delete or update files.
Installing unpinned packages can pull newer or different dependency versions than the author tested.
The skill depends on multiple third-party Python packages, and the documentation lists package names without pinned versions or hashes.
`faiss-cpu`, `langchain`, `langchain-community`, `langchain-text-splitters`, `pypdf`, `python-docx`, `python-pptx`, `markdown`, `zhipuai`, `docx2txt`
Install dependencies in a virtual environment and prefer pinned versions from a trusted requirements file if the author provides one.