ClawHub

OEE Knowledge Base RAG

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI05: Unexpected Code Execution
What this means

A maliciously crafted local PDF filename or path could cause code to run on the user's machine when the agent ingests it.

Why it was flagged

The file path is interpolated directly into Python source code that is executed with `python3 -c`. If a local PDF path contains crafted quotes or Python expression syntax, it can potentially change the generated program and run unintended code.

Skill content
subprocess.run(["python3", "-c", f"""
import sys
try:
    import fitz
    doc = fitz.open("{path}")
...
    r = subprocess.run(["pdftotext", "{path}", "-"], capture_output=True, text=True)
Recommendation

Do not generate Python code with embedded paths. Import the PDF library directly in the process, or pass the path through argv/environment variables and treat it only as data.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The skill may fail or behave differently unless the needed tools and API keys are available, and users may not see these requirements from metadata alone.

Why it was flagged

The documentation and code rely on provider API keys and optional external binaries, but the registry metadata does not declare them. This is setup under-disclosure, not evidence of malicious behavior.

Skill content
metadata: Required env vars: none; Required binaries: none ... SKILL.md: `ANTHROPIC_API_KEY` or `OPENAI_API_KEY` for embeddings ... kb.py: ["yt-dlp", "--write-auto-sub", ...] and ["pdftotext", "{path}", "-"]
Recommendation

Declare required or optional environment variables and binaries in metadata, and document which features need each dependency.

Note
ASI03: Identity and Privilege Abuse
What this means

Saved content may be sent to the selected embedding provider and billed or logged according to that provider's terms.

Why it was flagged

The skill requires a provider API key for embeddings. That is expected for this RAG purpose, but it gives the skill access to use the user's embedding-provider account.

Skill content
`ANTHROPIC_API_KEY` or `OPENAI_API_KEY` for embeddings
Recommendation

Use a dedicated, least-privilege API key where possible and avoid ingesting sensitive content unless provider handling is acceptable.

Note
ASI06: Memory and Context Poisoning
What this means

Anything saved to the knowledge base can remain on disk and be retrieved in later tasks, including sensitive notes if the user ingests them.

Why it was flagged

The skill stores raw saved content, chunks, and embeddings in a persistent SQLite database next to the skill files. This is expected for a knowledge base but creates persistent memory.

Skill content
DB_PATH = Path(__file__).parent / "kb.db" ... raw_content TEXT ... content TEXT ... embedding BLOB
Recommendation

Only ingest information you intend to keep, review where `kb.db` is stored, and add clear deletion/export/retention guidance.