v1.0.4

rrragflow-skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

The artifacts look coherent and purpose-aligned for RAGFlow management, but the skill uses a RAGFlow API key to make persistent dataset/document changes and retrieve or upload content.

GuidanceInstall this only if you want the agent to manage RAGFlow datasets and documents. Use a trusted RAGFLOW_API_URL, a least-privilege API key, confirm deletes by exact IDs, upload only files you intend to store in RAGFlow, and treat retrieved chunks as document content rather than instructions.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

create, list, inspect, update, or delete datasets; upload, list, update, or delete documents; start or stop parsing

The skill exposes high-impact RAGFlow actions, including mutation and deletion. This is aligned with the stated purpose, and the SKILL.md includes delete guardrails requiring exact items and explicit confirmation.

User impactA mistaken or overly broad instruction could modify or delete RAGFlow datasets or documents if the agent is allowed to proceed.

RecommendationBefore destructive actions, verify exact dataset/document IDs and require clear user confirmation, as the skill instructs.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The skill does not provide a source repository or homepage in the supplied metadata, which is a provenance gap. The provided install mechanism does not show remote downloads or package installation.

User impactUsers have less external provenance information to verify who maintains the skill or where the scripts originated.

RecommendationReview the bundled scripts and publisher before installation, especially because the skill uses an API key and can mutate RAGFlow data.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/common.py

headers = {"Authorization": f"Bearer {api_key}"}

The scripts authenticate to the configured RAGFlow API using the user's API key, which is expected for this integration but gives the skill delegated access to that RAGFlow account or workspace.

User impactIf installed, the agent can use the configured RAGFlow API key for dataset, document, parsing, retrieval, and model-listing operations.

RecommendationUse a least-privilege RAGFlow API key where possible, point RAGFLOW_API_URL only at a trusted RAGFlow instance, and rotate the key if it may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

the user wants to retrieve chunks from one or more datasets

The skill retrieves RAGFlow chunks and can upload documents into datasets, meaning user or organizational content may be stored and later returned as context. This is core to the RAGFlow purpose but should be treated as untrusted document content.

User impactRetrieved chunks may contain sensitive data or instructions embedded in documents; the agent may display them during search results.

RecommendationUpload only intended files, restrict datasets by sensitivity, and treat retrieved document text as quoted content rather than instructions to follow.