anythingllm-rag

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it handles private document uploads through an unsafe shell script with a hardcoded API key and insufficient disclosure.

Review before installing. Use only with a trusted AnythingLLM instance, remove and rotate the embedded API key, set your own scoped ANYTHINGLLM_API_KEY and workspace, and fix the eval-based upload-text command before using this with sensitive documents. Treat uploads as persistent additions to a knowledge base, not temporary chat context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly instructs the agent to execute shell commands, but the manifest does not declare that capability or any equivalent permission boundary. This undermines review and least-privilege controls, making it easier for a user or downstream automation to invoke code execution without clear visibility into the risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is presented as a document-query helper, but its documented commands also allow listing documents, checking service/auth state, and uploading arbitrary raw text, which are materially broader behaviors. This mismatch can cause the agent or user to invoke sensitive administrative or data-ingestion actions without understanding that the skill can enumerate knowledge-base contents or transmit new data to the backend.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script exposes `workspaces` and `health` commands that go beyond the declared purpose of querying and uploading documents for a user's local knowledge base. Workspace enumeration can reveal additional tenant or project identifiers, and auth/health inspection increases service reconnaissance surface without clear user need.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Listing all AnythingLLM workspaces is broader than the skill's stated purpose of searching a user's private documents. If the API key has broad access, this enables discovery of other workspace IDs and metadata that may facilitate unauthorized access attempts or cross-workspace data exposure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to activate on many ordinary requests about personal files, increasing the chance that the agent routes prompts to this skill when the user did not intend to access or upload private documents. In a skill that can query a local knowledge base and upload content, overly permissive triggering raises the risk of unintended disclosure or data transfer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill supports uploading files and raw text but does not warn that document contents will be transmitted to the AnythingLLM service, which may be a separate local or remote system with its own retention and access controls. Because the skill is explicitly used for private/local documents, lack of disclosure and consent around data transmission materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The upload functions send file contents and raw text to the AnythingLLM API, but the skill provides no explicit disclosure or consent boundary before transmitting potentially sensitive local data. In a private-document skill, users may assume local-only processing, so silent network transfer materially increases privacy risk.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The query command sends user questions to the AnythingLLM API without an explicit disclosure step. This is expected for an API-backed RAG skill, but it still creates a privacy concern because prompts may contain sensitive document references or secrets the user did not realize would be transmitted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal