ClawHub

OEE Knowledge Base RAG

Security checks across malware telemetry and agentic risk

Overview

This is a coherent personal knowledge-base skill, but it has a real local PDF path code-execution bug and under-discloses that saved content is stored and sent to external AI providers.

Review before installing. Avoid ingesting untrusted local PDF paths, use the search-only mode for sensitive local retrieval, and do not save secrets, credentials, regulated data, or confidential documents unless you are comfortable with local persistence and processing by the configured AI providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
path = tmp.name

    try:
        result = subprocess.run(
            ["python3", "-c", f"""
import sys
try:
Confidence
98% confidence
Finding
result = subprocess.run( ["python3", "-c", f""" import sys try: import fitz doc = fitz.open("{path}") for page in doc: print(page.get_text()) except ImportError: im

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly encourages ingesting text, URLs, files, and notes into a persistent local SQLite knowledge base, and it also states that an API key for an embeddings provider is required. That means potentially sensitive user content may be stored long-term and may be transmitted to a third-party provider, yet the description provides no privacy, retention, or data-sharing warning to users or agents.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill transmits ingested content chunks to a third-party embeddings API with no explicit consent or warning, which can expose sensitive or proprietary data. In a knowledge-base tool, users may reasonably ingest private documents, making silent external transmission materially risky.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code sends both user queries and retrieved knowledge-base content to Anthropic without any explicit disclosure or consent gate. Because the retrieved context may contain private notes or documents, this can leak sensitive material to a third party unexpectedly.

Ssd 3

Medium
Confidence
94% confidence
Finding
Retrieved content is inserted verbatim into the LLM prompt with no separation or defensive framing beyond a plain instruction, so stored documents can contain adversarial text such as prompt injections that manipulate the model's behavior. In a RAG system, untrusted content is the context, so prompt injection is a core threat and can cause data leakage, false answers, or instruction override.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal