Rag
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-rag-skill Version: 1.0.6 The skill is classified as suspicious primarily due to a significant prompt injection vulnerability identified in `launch_rag_agent.sh` and `rag_agent.py`. These scripts directly embed user input into Python commands and LLM prompts without explicit sanitization, allowing a malicious user to potentially manipulate the AI agent's behavior. Additionally, the `scripts/moltbook_post.py` file introduces an optional outbound network call to `https://www.moltbook.com/api/v1/posts` for posting announcements. While this feature is optional, requires an API key, and is for a stated purpose, any external network communication represents a potential risk, especially when combined with the prompt injection vulnerability, even if no direct data exfiltration is observed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private chat history, code, configuration snippets, or misleading instructions from old content could be surfaced in later answers or influence the agent's behavior.
The artifact explicitly creates persistent retrieved context from broad local/private sources and reuses it automatically in future AI responses. That is central to RAG, but the scope and automatic reuse create material privacy and context-poisoning risk.
It indexes your entire knowledge base – chat transcripts, workspace code, skill documentation ... When the AI responds, it automatically ... Includes that context in the response ... This happens transparently
Index only directories you intend to reuse, avoid indexing secrets or sensitive chats, add exclusions, review retrieved context, and use the delete/reset tools to remove data you do not want retained.
A scheduled updater could continue adding new chats and workspace files to the local RAG store after initial setup.
The documentation describes a recurring background update mechanism that keeps indexing new or changed local data. It is disclosed, but users should confirm it is not running unexpectedly.
The RAG system includes an automatic update script that runs daily ... Runs via cron at 4:00 AM UTC daily ... State tracking: ~/.openclaw/workspace/memory/rag-auto-state.json
Check OpenClaw cron jobs, disable the updater if not wanted, and review the state and log files mentioned in the documentation.
If used, the skill can act through a Moltbook account and publish content using the configured key.
The optional Moltbook helper uses an API key and can post public/community content, while the registry metadata lists no required credentials. The behavior is documented and user-directed, so this is a notice rather than a standalone concern.
To use Moltbook posting, configure your API key: export MOLTBOOK_API_KEY="your-key-here" ... python3 scripts/moltbook_post.py "Title" "Content"
Only configure a Moltbook API key if you intend to use posting, keep the key scoped if possible, and review any content before publishing.
Installing or updating the dependency/model may bring in external code or artifacts that are outside the reviewed skill files.
The skill depends on an external Python package and an initial model download. This is expected for a local RAG system, but the dependency is not pinned in the visible install instructions.
python3 -m pip install --user chromadb ... Embeddings: all-MiniLM-L6-v2 (downloaded once, 79MB)
Install from trusted package indexes, consider pinning versions, and review dependency provenance if this is used in a sensitive environment.