v1.0.8

RAGFlow

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:33 AM.

Analysis

This skill is a disclosed RAGFlow management helper that uses an API key to upload, retrieve, update, parse, and delete RAGFlow dataset content, with delete-confirmation guidance included.

GuidanceInstall this only if you want the agent to manage RAGFlow datasets and documents with your API key. Use a scoped credential if possible, verify the RAGFLOW_API_URL, be careful when uploading sensitive files, and require the agent to show exact dataset or document IDs before you approve any deletion.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

create, list, inspect, update, or delete datasets; upload, list, update, or delete documents; start or stop parsing

The skill intentionally exposes data-changing RAGFlow operations, including deletes and parsing control. This is aligned with the stated purpose, but users should notice the mutation authority.

User impactIf used incorrectly, the agent could change or delete RAGFlow datasets or documents.

RecommendationUse least-privilege RAGFlow API credentials where possible and review dataset/document IDs before approving changes, especially deletes.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

For any delete action, list the exact items first and require explicit user confirmation before executing.

The artifacts include a clear safety instruction for destructive actions. The risk remains worth noting because deletion authority is present, even though the workflow asks for confirmation.

User impactDeletes are intended to require explicit confirmation, reducing accidental removal of datasets or documents.

RecommendationOnly confirm delete actions after checking the exact dataset or document IDs shown by the agent.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide an upstream source or homepage. The supplied scripts are bundled and no install step is required, so this is a provenance note rather than a behavioral concern.

User impactYou have less external provenance information to verify the publisher or upstream project.

RecommendationReview the bundled artifacts and install only if you trust the registry publisher and the provided code.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

requires:\n      env:\n        - RAGFLOW_API_URL\n        - RAGFLOW_API_KEY\n    primaryEnv: RAGFLOW_API_KEY

The skill requires a RAGFlow API key and uses it as the primary credential. This is expected for RAGFlow API access, but it grants delegated account authority.

User impactAnyone using this skill with your API key can perform the RAGFlow operations allowed by that key.

RecommendationProvide a scoped API key if RAGFlow supports it, rotate keys if exposed, and avoid using credentials with broader access than needed.

Identity and Privilege Abuse

SeverityInfoConfidenceMediumStatusNote

scripts/list_models.py

parser.add_argument("--api-path", default=DEFAULT_API_PATH, help=f"Endpoint path (default: {DEFAULT_API_PATH})")

The model-listing script allows an alternate authenticated endpoint path under the configured RAGFlow base URL. This appears intended for API compatibility, but it slightly broadens how the API key can be used.

User impactA non-default invocation could query a different RAGFlow endpoint with the same bearer token.

RecommendationUse the default model-listing endpoint unless you intentionally need a different RAGFlow API path.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

retrieve chunks from one or more datasets

The skill retrieves RAGFlow dataset chunks and relays returned fields. Retrieved content may contain private information or untrusted document text, which is inherent to RAG/Retrieval workflows.

User impactSearch results may expose sensitive document excerpts from datasets the API key can access.

RecommendationUse this skill only with datasets you are comfortable querying through the agent, and treat retrieved document text as source material rather than trusted instructions.