LightRAG Search Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to query LightRAG knowledge bases, but its helper disables HTTPS certificate checks, which can expose queries and API keys to interception.

Review this skill before installing. It is not showing destructive or deceptive behavior, but do not use it with API keys, private documents, or sensitive queries unless the TLS verification bypass is removed and the local config file is protected. Treat retrieved knowledge-base text as untrusted reference material, not instructions to follow automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes capabilities that require reading a local config file, potentially writing configuration, and making network requests to LightRAG servers, yet it declares no permissions. This creates a transparency and governance gap: an agent or reviewer may authorize the skill without realizing it can access local files and send data over the network, which increases the risk of unintended data exposure or policy bypass.

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: The script stores server URLs and API keys in a user config file under the home directory, which expands the skill's behavior beyond simple querying and creates a local secret-retention risk. While persistence is functionally useful, storing credentials in plaintext without permission hardening, encryption, or clear disclosure can expose secrets to other local users, backups, or malware.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code disables both TLS certificate validation and hostname verification for all outbound requests, making HTTPS connections vulnerable to man-in-the-middle interception and server impersonation. Because this tool sends queries and optionally an API key to remote servers, an attacker on the network path could read or alter sensitive requests and responses.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to retrieve knowledge-base context and pass it into writing tasks without any warning, filtering, or sensitivity checks. In this context, the danger is elevated because knowledge bases may contain proprietary, personal, or otherwise sensitive material, and forwarding raw retrieved context to another model or task can leak confidential data beyond the original retrieval boundary.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The config command writes the provided API key to a local config file without any warning, consent flow, or protection mechanism. This creates a confidentiality risk because users may assume the key is ephemeral, while in reality it is stored on disk in plaintext and may be exposed through filesystem access, backups, or logs.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The tool transmits arbitrary query text to a configured remote server, and because TLS verification is disabled, that data can be intercepted or modified in transit. In the context of a knowledge-base skill, queries may contain proprietary documents, internal questions, or sensitive contextual prompts, so the confidentiality and integrity impact is significant.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal