Knowledge Base Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is mostly a coherent local knowledge-base tool, but its file-management code can be driven with crafted paths that may write or delete files outside the intended knowledge-base folder.
Use only simple business and attachment names, avoid slashes, absolute paths, and '..' segments, and avoid delete commands until the path-handling issue is fixed. Back up important data and store only screenshots or answers you are comfortable keeping in the local knowledge base.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken business name could cause the agent to create, overwrite, or delete directories outside this skill's own knowledge-base storage.
The business name is used directly as a filesystem path component, and the resulting directory can be recursively deleted. Absolute paths or '..' traversal are not rejected.
def get_business_dir(business_name: str) -> str:
return os.path.join(KB_ROOT, business_name)
...
if os.path.exists(business_dir):
shutil.rmtree(business_dir)Normalize and validate business names, reject absolute paths and path traversal, confine all operations under a fixed data directory, and require explicit confirmation before recursive deletion.
If invoked with an absolute filename or traversal segments, this helper could delete an unrelated local file that the user account can access.
The image delete command accepts command-line business and filename values, joins them into a path, and deletes that path without checking that it remains inside the attachments directory.
image_path = os.path.join(ATTACHMENTS_ROOT, business_name, filename)
...
os.remove(image_path)
...
elif cmd == "delete" and len(sys.argv) >= 4:
result = delete_image(sys.argv[2], sys.argv[3])Only allow deletion of managed attachment filenames, use safe path resolution, verify the resolved path is under the attachments root, and reject absolute paths or '..' segments.
Sensitive text in saved answers or screenshots may remain searchable and could influence future answers from the knowledge base.
The skill intentionally stores user-provided Q&A, screenshots, and OCR text for later search and reuse.
| 📸 **图片附件** | 保存截图,自动 OCR 提取文字 | | 🔍 **智能搜索** | 匹配问题文本 + 图片 OCR 文字 |
Store only information intended for reuse, avoid sensitive screenshots unless needed, and periodically review or delete stored knowledge-base entries and attachments.