ClawHub

Qdrant Advanced

Security checks across malware telemetry and agentic risk

Overview

This Qdrant skill does what it claims, but its scripts handle documents, queries, and database operations in ways that can expose sensitive data and may allow crafted input to run unintended local code.

Review carefully before installing. Use only isolated Qdrant collections and non-sensitive test data unless the scripts are fixed to safely pass JSON and Python inputs. Do not ingest untrusted files or metadata, avoid sensitive search queries, use a limited OpenAI key, and make backups before running delete, restore, or migration commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
When --upgrade-model is used, the script extracts payload.text values from Qdrant points and sends them to the OpenAI embeddings API. This is a real data exposure risk because collection contents may include sensitive or regulated information, and the script provides no consent gate, classification check, or redaction before external transmission.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes a destructive delete operation for collections without any warning, confirmation step, or mention of irreversible data loss. In an agent-facing skill, this increases the chance that an automated workflow or inattentive user will delete production vector data unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Restore and snapshot deletion are documented without user-facing cautions about overwrite, rollback, or permanent loss of backup artifacts. In production database workflows, these operations can destroy current state or remove recovery points, making accidental invocation materially harmful.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends raw document chunks to the OpenAI embeddings API, but the usage text and runtime output do not clearly warn the operator that document contents leave the local environment. This can cause unintended disclosure of sensitive or regulated data when users assume ingestion is only local to Qdrant.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script uploads chunk text and source file metadata into Qdrant without clearly disclosing that full text and file path information will be stored in the vector database. This may expose sensitive contents or internal path details to anyone with access to the collection or downstream systems consuming it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The embedding upgrade path transmits collection text payloads to an external API without a clear user warning at the moment of execution. In a migration tool, users may assume data stays within Qdrant infrastructure, so this silent transfer increases the chance of accidental disclosure of proprietary or personal data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the raw user query to OpenAI's embeddings API, but only prints a generic progress message instead of clearly warning that the query contents leave the local environment. This creates a real data exposure risk if users search with sensitive internal, personal, or regulated content, especially because the skill is positioned for production semantic search workflows.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The manifest requires a sensitive credential (OPENAI_API_KEY) but provides no user-facing warning about how that credential will be used or whether data may be sent to external services. In a skill that performs document ingestion, semantic search, and migration, this increases the risk of users unknowingly exposing proprietary content or secrets to third-party APIs during embedding or related processing.

External Transmission

Medium
Category
Data Exfiltration
Content
local batch_num="$2"
    
    # Generate embeddings for batch
    local embedding_response=$(curl -s -w "\n%{http_code}" \
        -X POST \
        -H "Authorization: Bearer $OPENAI_API_KEY" \
        -H "Content-Type: application/json" \
Confidence
95% confidence
Finding
curl -s -w "\n%{http_code}" \ -X POST \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ https://api.openai.com/v1/embeddings \

External Transmission

Medium
Category
Data Exfiltration
Content
-X POST \
        -H "Authorization: Bearer $OPENAI_API_KEY" \
        -H "Content-Type: application/json" \
        https://api.openai.com/v1/embeddings \
        -d "{
            \"input\": $batch_data,
            \"model\": \"text-embedding-3-small\"
Confidence
91% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Extract texts and re-embed
        local texts=$(echo "$points" | python3 -c "import json,sys; pts=json.load(sys.stdin); print(json.dumps([p.get('payload', {}).get('text', '') for p in pts]))")
        
        local emb_resp=$(curl -s -X POST \
            -H "Authorization: Bearer $OPENAI_API_KEY" \
            -H "Content-Type: application/json" \
            https://api.openai.com/v1/embeddings \
Confidence
98% confidence
Finding
curl -s -X POST \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ https://api.openai.com/v1/embeddings \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
local emb_resp=$(curl -s -X POST \
            -H "Authorization: Bearer $OPENAI_API_KEY" \
            -H "Content-Type: application/json" \
            https://api.openai.com/v1/embeddings \
            -d "{\"input\": $texts, \"model\": \"text-embedding-3-small\"}")
        
        local embeddings=$(echo "$emb_resp" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps([e['embedding'] for e in d.get('data', [])]))")
Confidence
97% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Generating embedding for query..."

# Generate embedding using OpenAI API
EMBEDDING_RESPONSE=$(curl -s -w "\n%{http_code}" \
    -X POST \
    -H "Authorization: Bearer $OPENAI_API_KEY" \
    -H "Content-Type: application/json" \
Confidence
95% confidence
Finding
curl -s -w "\n%{http_code}" \ -X POST \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ https://api.openai.com/v1/embeddings \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
-X POST \
    -H "Authorization: Bearer $OPENAI_API_KEY" \
    -H "Content-Type: application/json" \
    https://api.openai.com/v1/embeddings \
    -d "{
        \"input\": \"$QUERY\",
        \"model\": \"text-embedding-3-small\"
Confidence
94% confidence
Finding
https://api.openai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal