Ai Rag Pipeline
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-rag-pipeline Version: 0.1.5 The skill bundle is designed for RAG pipelines and uses the `inference.sh` CLI. It grants broad `Bash(infsh *)` permissions, allowing the agent to execute any `infsh` command. The primary concern is a significant prompt/shell injection vulnerability identified in `SKILL.md`. User-controlled input (`$query`) and API responses (`$results`) are directly interpolated into shell commands that construct JSON payloads for `infsh app run` (e.g., in the `research.sh` template and other examples). This lack of sanitization could allow an attacker to manipulate `infsh` command arguments or potentially execute arbitrary shell commands if the injection breaks out of the `infsh` context. While this is a critical vulnerability, there is no evidence of intentional malicious activity like data exfiltration or backdoor installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill is invoked, the agent may be able to use broader infsh functionality than the exact examples describe.
The skill grants access to any infsh command rather than only the specific search, extraction, and LLM app runs shown in the examples.
allowed-tools: Bash(infsh *)
Review the infsh commands before allowing them, and prefer narrower tool scoping if the platform supports it.
Running the installer changes the local environment and depends on trusting the inference.sh distribution path.
The Quick Start instructs the user to download and execute an external installer script for the required CLI, while the registry has no install spec for review.
curl -fsSL https://cli.inference.sh | sh && infsh login
Install only if you trust inference.sh; consider using the documented manual install and checksum verification path.
Commands may run under the logged-in inference.sh account and use whatever access that account has.
The skill requires logging into the external infsh service, even though the metadata lists no primary credential.
infsh login
Log in with the intended account only, review account permissions, and avoid sharing credentials or sessions across unrelated uses.
Private or sensitive information placed in prompts, queries, or URLs could be sent to third-party services.
The examples route user queries, retrieved results, URLs, and prompts through external search and LLM providers.
infsh app run openrouter/claude-sonnet-45 --input ...; tavily/search-assistant; exa/search; exa/answer
Use the skill for data you are comfortable sending to the listed providers, and avoid entering secrets or private documents unless you have reviewed their data policies.
Untrusted web content could influence the generated answer or cause the model to over-trust bad sources.
Retrieved web/search content is inserted directly into LLM prompts; such content can contain misleading or instruction-like text.
Based on the following search results, provide a comprehensive summary with citations.\n\nSearch Results:\n$SEARCH_RESULT
Treat retrieved content as untrusted evidence, ask for citations, and verify important claims before acting on them.