ClawHub
Back to skill

Security audit

Rag

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local RAG/search skill, but it handles broad private local data and bundles an under-disclosed external posting feature that conflicts with its local-only claims.

Install only if you are comfortable with a local index of OpenClaw chats, tool outputs, and workspace files being reused in future prompts. Avoid indexing secrets or private projects unless you have reviewed the files, and treat Moltbook posting as a separate public network feature that should not be used with retrieved private content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises broad capabilities including environment access, file read/write, and network use, but does not declare permissions or clearly bound those operations. In a skill that indexes sessions and workspace files, this combination can expose sensitive local data and enable unexpected exfiltration or destructive actions without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior exceeds the stated purpose: besides local indexing and search, it includes external posting, destructive collection management, and agent/session launching with injected context. This mismatch prevents users from making an informed trust decision and increases the chance that sensitive indexed content is used or transmitted in ways they did not expect.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The Moltbook posting feature introduces outbound data-sharing capability that is outside the stated purpose of a local RAG skill. In a skill that automatically indexes chats, workspace files, and memory, adding a social-posting integration increases the risk that indexed or derived sensitive content could be exfiltrated or disclosed to a third party, especially if users assume the skill is purely local.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is framed as a local-only RAG system, yet later documents an optional Moltbook publishing feature that sends content to an external service. Even if optional, bundling external transmission into a privacy-sensitive indexing skill materially changes the threat model and can mislead users about data handling.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation explicitly claims there are no custom network calls and that all processing is local-only, but later provides instructions for posting to an external service. Contradictory security claims are dangerous because users may rely on them when deciding whether to index sensitive sessions, credentials, or private workspace files.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The ingestor explicitly converts transcript toolCall arguments and toolResult payloads into searchable text, which can capture secrets, file contents, command outputs, tokens, or other sensitive data that appeared during prior sessions. In a RAG system that automatically indexes all sessions, this materially expands the data surface beyond conversational summaries and can expose sensitive operational context to later retrievals or prompt injection chains.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script does more than retrieval: it launches a new OpenClaw session and feeds it generated prompt content. That broadens the trust boundary from local search into autonomous agent execution, which can unexpectedly act on retrieved content or user input in a new session without explicit consent at launch time.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A RAG skill is expected to index and search data, but this launcher grants broader orchestration capability by spawning a fresh agent process. That creates an unnecessary execution surface where retrieved knowledge-base content can influence another agent's behavior, increasing the chance of prompt injection, unintended actions, or misuse beyond the stated purpose.

Scope Creep

Medium
Confidence
95% confidence
Finding
The manifest declares an empty capabilities list, yet the package clearly performs persistent local writes, indexing, and update operations via Python and shell scripts. This creates a trust and permission-model mismatch: users or orchestration systems may treat the skill as low-privilege while it actually modifies local storage and ingests potentially sensitive files from sessions and workspace content.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The description frames the skill as semantic search, but it also advertises automatic ingestion and persistent storage of chat sessions, workspace code, documentation, and skills. That mismatch can cause users to underestimate the privacy and data-retention implications, especially because sensitive local content is being copied into a searchable knowledge store.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This documentation describes a social-network posting capability that is outside the declared purpose of a local RAG/indexing skill. Such scope mismatch is dangerous because it can hide unexpected outbound actions and make reviewers or users trust the package as local-only when it also supports external publication.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented setup of an API key for Moltbook enables authenticated outbound posting that is unrelated to the advertised local RAG functionality. In context, this increases the risk of covert or unjustified data exfiltration, reputation harm, or unauthorized posting through a capability users would not reasonably expect this skill to have.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file explicitly documents requests to an external API endpoint with authentication headers, confirming network-posting behavior in a skill marketed as local semantic search. That mismatch is dangerous because it creates an unexpected outbound channel that could publish sensitive workspace-derived content or agent-generated text off-system.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script adds external social-posting capability to a skill described as a local RAG/indexing tool with no API keys required. That mismatch is dangerous because users may install or trust the skill expecting only local retrieval, while it actually enables outbound publication of content to a third-party service.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code reads an external service API key from environment variables or a local credentials file even though the skill description says no API keys are required and focuses on local embeddings/search. This broadens the trust boundary and creates risk of unauthorized use of credentials in a skill users would not expect to access them.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script performs outbound network posting to Moltbook, which is unjustified for a local RAG/search skill that claims local-only behavior. In context, this is especially dangerous because a RAG tool may access sensitive workspace, documentation, and session content; adding undisclosed exfiltration-capable posting materially increases abuse potential.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes ingesting chat sessions, workspace files, and skills without a clear privacy warning, even though these sources may contain secrets, credentials, personal data, or sensitive internal code. In the context of a system that centralizes and semantically indexes local content, omission of data-collection disclosure materially increases the chance of unintentional exposure and over-collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README says the AI automatically consults the knowledge base and transparently incorporates retrieved content into responses, but gives no warning that user content is being searched and surfaced automatically. In a RAG system indexing chats and workspace data, that can cause sensitive material to be reproduced in later outputs unexpectedly, increasing confidentiality risk and making prompt-boundary assumptions unsafe.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Enabling scheduled automatic re-indexing without warning means the skill continuously re-processes local chats and workspace content in the background, which expands the privacy and security exposure window. In this skill's context, persistent background access to sensitive local data is more dangerous because it normalizes broad collection and may capture newly introduced secrets or private conversations without active user awareness.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The phrase that AI integration retrieves context transparently does not define when retrieval runs, what sources are searched, or what content may be injected into prompts. In a system indexing chats, code, and docs, ambiguous automatic retrieval can surface secrets or private context into unrelated tasks without the user's awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workspace ingestion routine recursively scans the default workspace and indexes file contents into the RAG store with broad file globs and no consent prompt, warning, or filtering for sensitive material such as secrets, configs, credentials, or private notes. Even though storage is local, this still expands exposure by centralizing potentially sensitive data into a searchable corpus that other local components or future prompts may retrieve unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically ingests local session transcripts into a persistent knowledge store without any user-facing warning, confirmation, or consent flow. Because session logs may contain private prompts, generated content, tool outputs, and workspace-derived data, silent indexing increases the chance of unintentional retention and later disclosure through semantic search.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically searches local knowledge sources and injects retrieved text directly into the spawned agent's prompt without warning or review. Because the indexed sources include chat sessions, workspace files, documentation, and skills, this can leak sensitive local data and also propagate malicious or misleading prompt content from the knowledge base into the new agent context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code automatically loads prior session messages from a JSONL file and prepends retrieved knowledge-base content to the prompt sent downstream, but provides no notice, consent gate, or filtering for sensitive data. In this skill's context, the RAG system indexes chat sessions, workspace code, documentation, and skills, so the augmented prompt can unintentionally disclose secrets, proprietary code, prior conversations, or other sensitive local content to the model or any connected logging layer.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
reset_collection() deletes all documents unconditionally with no confirmation, safeguard, or access control, making accidental or misuse-driven destruction easy. In this skill's context, the collection may contain indexed chat history, workspace code, documentation, and skills, so a reset can erase valuable local knowledge and disrupt assistant behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal