local-file-rag-basic
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: local-file-rag-basic Version: 1.0.0 The skill is classified as suspicious due to two primary vulnerabilities. Firstly, the `local_file_rag_search` tool's `rootDir` parameter in `script/index.js` allows an AI agent to specify arbitrary directories for scanning, enabling local file disclosure and potential data exfiltration if the agent is prompted maliciously. Secondly, the `ensureDependencies` function in `script/index.js` uses `child_process.execSync` with `shell: true` for dependency installation. While currently used with hardcoded, benign packages, this primitive is highly susceptible to shell injection if the dependency list were ever derived from untrusted input, posing a significant RCE risk. There is no evidence of intentional malicious behavior such as exfiltration to external endpoints or backdoor installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use may fetch and run third-party npm package code silently on the user's machine.
The constructor can automatically run npm install through a shell when dependencies are missing, downloading and executing package install behavior without a separate install step or visible prompt.
execSync(`npm install --no-save ${missingDeps.join(' ')}`, { cwd: skillDir, stdio: 'ignore', shell: true });Move dependency installation to a reviewed install spec, pin versions, avoid shell:true where possible, show output, and require user approval before installing packages.
A broad or mistaken rootDir could cause the agent to index private files outside the intended project.
The search tool accepts a rootDir, switches to that path, and then processes the workspace recursively, with no visible restriction to the current project or explicit approval boundary.
if (rootDir && path.resolve(rootDir) !== path.resolve(this.workspaceDir)) { ... this.setupWorkspace(path.resolve(rootDir)); } ... await this.chunker.processWorkspace();Restrict rootDir to the active workspace by default, require explicit user approval for broader paths, and document sensitive-directory exclusions.
Sensitive file content may remain cached locally and be returned into future agent context after the original search.
The skill persists indexed file chunks and content into a local SQLite database under the scanned workspace.
this.dbDir = path.join(workspaceDir, '.storage'); ... this.dbPath = path.join(this.dbDir, 'code-rag.db'); ... INSERT INTO chunks ... content
Clearly document what is stored, add retention and deletion controls, exclude sensitive files by default, and let users rebuild or remove the index.