Back to skill

Security audit

Rag Retriever

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RAG document retrieval skill; it has expected privacy considerations around local indexing and optional remote embedding providers, but I found no hidden or purpose-mismatched behavior.

Install only if you are comfortable with a local RAG index storing documents and derived embeddings on disk. Use the simple/local paths for private material, and choose OpenAI embeddings only when you are comfortable sending the text being embedded to OpenAI. In restricted or air-gapped environments, pre-load or disable Transformers.js model downloads because the provider can contact a Hugging Face mirror to fetch model artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends raw input text to the OpenAI embeddings API, which is an external third party, without any disclosure, consent flow, or data-classification guardrails in this module. If callers pass sensitive prompts, documents, credentials, or regulated data, that content is transmitted off-host and may violate privacy, compliance, or user expectations.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The module persists embedding-cache data to local disk without notifying users that processed content-derived artifacts will remain on the filesystem. Even though the cache stores vectors keyed by MD5 of the text rather than plaintext, embeddings and deterministic hashes can still create privacy, retention, and forensic disclosure risks if the host is shared or compromised.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The provider silently configures a third-party Hugging Face mirror and may download model artifacts over the network during initialization, which can disclose environment metadata such as IP address, timing, model selection, and possibly trigger supply-chain trust issues. In a local-embedding skill, users may reasonably expect fully local behavior after installation, so undisclosed remote fetching makes this more risky in privacy-sensitive or restricted environments.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Like the embedding initializer, the cross-encoder silently contacts a remote mirror to obtain model files, creating undisclosed outbound network access and a supply-chain dependency. This is especially relevant because reranking may be used in enterprise or air-gapped workflows where unexpected egress is a policy violation even if document content itself is not uploaded.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/embeddings.js:16