ClawHub

local-file-rag-basic

Security checks across malware telemetry and agentic risk

Overview

This is a real local file search skill, but it should be reviewed because it can silently install npm packages and cache broad local file contents.

Install only if you are comfortable with the skill reading, extracting, and caching files under the directory you choose. Avoid pointing rootDir at home directories, repositories with secrets, or broad business folders; preinstall and review the npm dependencies yourself where possible; and delete .storage/code-rag.db when you no longer want the index retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill automatically installs missing npm packages by invoking `execSync` with `shell: true`, which mutates the host runtime and executes external code without user approval. Even though the package names are currently hardcoded, this behavior creates a supply-chain execution path and expands the attack surface in a tool whose purpose is local file retrieval, not environment modification.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A local file RAG skill is expected to read and index local content, but this code also changes the execution environment by installing packages at runtime. That hidden side effect violates least surprise and can lead to unreviewed code execution, policy bypass, or operational instability on systems where skills should be read-only.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly encourages users to 'extract and analyze' Excel data but does not clearly disclose that the skill may access local files and document contents from the user's workspace. In a local file RAG context, this can lead to unintended exposure of sensitive spreadsheet contents because users may invoke the feature without understanding the scope of file access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill recursively scans supported workspace files, reads their contents, and persists extracted text and metadata into a local SQLite database under .storage without any consent, notice, or apparent scoping controls in this code. In a security-sensitive workspace, this can silently copy secrets, proprietary code, documents, and embedded sensitive data into a secondary datastore that may broaden retention, discovery, and accidental exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently installs missing dependencies without explicit consent or clear user-facing disclosure, using a shell command and suppressing output. In an agent skill context, undisclosed execution of package installation is dangerous because it can surprise operators, violate environment controls, and introduce malicious or compromised third-party code.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads and returns entire local file contents for matched small files, which can expose secrets, credentials, proprietary code, or personal data if the workspace contains sensitive material. In a RAG/search tool, broad file exfiltration is especially risky because natural-language queries can retrieve data from many files with minimal friction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal