Back to skill

Security audit

RAGLite - Local Expandable Library AI Library

Security checks across malware telemetry and agentic risk

Overview

RAGLite looks like a legitimate local document-search skill, but it needs Review because it installs its executable core from an unpinned GitHub main branch before handling potentially sensitive documents.

Install only if you trust the upstream GitHub repository at install time, or pin and review a specific commit yourself. Use a dedicated output directory and Chroma collection, explicitly choose the engine you trust, and avoid highly sensitive records unless you understand where the generated Markdown, `.raglite` cache, and Chroma data will persist and how to delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
This is a mismatch because the provided code does not itself implement the described document distillation, Chroma indexing, or hybrid search behavior. Instead, it fetches and executes a third-party package from GitHub, which is a significant behavior not stated in the description. The wrapper also injects a default engine parameter ('openclaw'), suggesting dependence on an external engine or service not disclosed by the declared purpose. Even if raglite may provide the claimed features, the actual code shown primarily installs and proxies to remote code, which is materially different from the description and introduces undeclared external access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest describes a local-first RAG cache, which suggests operation on local data and infrastructure. This installer explicitly retrieves package code from a remote GitHub repository, introducing a network-dependent behavior not reflected in the description.

Memory Manipulation

High
Category
Memory Poisoning
Content
2) **Index** locally into Chroma
3) **Query** with hybrid retrieval (vector + keyword)

It doesn’t replace memory/context — it’s the place to store what you need again.
Confidence
85% confidence
Finding
replace memory

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.