RAGFlow open-source Retrieval-Augmented Generation (RAG) engine — deployment, configuration, management, and troubleshooting.
ReviewAudited by ClawScan on May 12, 2026.
Overview
This is a coherent instruction-only RAGFlow deployment guide; its notable risks are expected setup/admin commands, API-key handling, code-execution features, and document indexing rather than hidden behavior.
Install or use this skill only if you intend to deploy or administer RAGFlow. Verify the upstream repo/images, review every Docker or CLI command before running it, back up data before destructive operations, protect API keys and default service passwords, restrict public network exposure, and import only documents you are comfortable storing and indexing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run at the wrong time, deployment/admin commands can delete RAGFlow data or disrupt local services.
The deployment reference includes a user-directed Docker command that removes deployment volumes, and the surrounding text warns this causes data loss.
docker compose -f docker/docker-compose.yml down -v
Review commands before execution, back up data before destructive operations, and require explicit user approval for down -v, DROP, prune, or similar commands.
Exposed or mishandled API keys could allow unauthorized model use or account charges.
The skill tells users to configure LLM provider API keys. This is expected for RAGFlow but gives the deployment access to provider accounts and possible paid usage.
api_key: "sk-..."
Use least-privilege keys where possible, avoid committing secrets, prefer a secrets manager or protected config, and rotate keys if they are pasted into shared contexts.
Running unverified upstream code, Docker images, or dependency installs can introduce supply-chain risk even when the guide itself is instruction-only.
The setup flow pulls upstream source and later uses package/dependency installation commands; those external artifacts are not included in this skill for review.
git clone https://github.com/infiniflow/ragflow.git
Use official sources, pin or verify release tags/images, review upstream installation scripts, and avoid running development setup commands on sensitive hosts.
If agent workflows are misconfigured or the sandbox is weak, code-execution features could affect data or infrastructure.
RAGFlow's agent system includes a code-executor component. The document frames it as sandboxed and purpose-aligned, but it is still a sensitive capability.
| Code Executor | Run Python/JavaScript in sandbox |
Enable code execution only when needed, use the documented sandboxing such as gVisor, limit network/file/database access, and review agent workflows before use.
Imported documents can persist in the knowledge base and influence future answers; sensitive or untrusted documents may expose data or poison retrieval results.
The RAG workflow stores uploaded document text and embeddings for later retrieval. This is core RAGFlow functionality but creates persistent context.
Vectors + text stored in Elasticsearch/Infinity
Import only intended documents, separate sensitive datasets, restrict access to the RAGFlow deployment, and define retention/deletion practices.