warn
suspicious.destructive_delete_command
- Location
- SKILL.md:124
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
ZettaBrain RAG
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing the skill can run code from external package/script sources on the user's machine, sometimes with administrator privileges.
Why it was flagged
The skill directs users to install and run external package or installer code, including privileged shell execution on Linux. The documentation tells users to review the source first, so this is disclosed setup risk rather than hidden behavior.
Skill content
pipx install zettabrain-rag sudo zettabrain-setup ... curl -fsSL https://zettabrain.app/install.sh | sudo bash ... irm https://zettabrain.app/install.ps1 | iex
Recommendation
Prefer the pipx installation path when possible, inspect installer scripts before running one-line commands, and only install from sources you trust.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
A privileged setup step can modify system-level service configuration and install components outside the user's normal home directory.
Why it was flagged
The artifact requests administrator privileges for setup and service registration. That authority is proportionate to installing system services, but users should notice the elevated privilege boundary.
Skill content
sudo zettabrain-setup ... The Linux installer requires `sudo` to install Ollama system-wide and register a systemd service.
Recommendation
Run privileged setup only after reviewing the package/installer source and understanding the system service it creates.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private document contents may influence future answers through the persistent local vector store until the index is deleted or rebuilt.
Why it was flagged
The skill persists embeddings and ingestion state derived from private documents. This is central to RAG and the storage path is disclosed, but it means selected documents become part of a reusable local retrieval index.
Skill content
The vector index (document embeddings) is stored **only on your local machine**: ... Vector database | `/opt/zettabrain/src/zettabrain_vectorstore/` ... **Exclude files or folders** by not including them in `ZETTABRAIN_DOCS` — only files under that path are indexed.
Recommendation
Point ZETTABRAIN_DOCS only at folders you intend to index, avoid mixing unrelated sensitive files, and use the documented deletion or rebuild steps when needed.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If configured to use a remote Ollama server, document-related prompts or query context may leave the local machine.
Why it was flagged
The artifact clearly warns that changing the Ollama endpoint to a remote host changes the data boundary for document queries.
Skill content
OLLAMA_HOST ... Default: http://localhost:11434 (local). WARNING: setting this to a remote host sends document queries off-machine.
Recommendation
Keep OLLAMA_HOST pointed at localhost unless you intentionally trust and control the remote endpoint.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The web GUI service may continue running after setup and restart automatically on boot until disabled or removed.
Why it was flagged
The skill creates persistence via a boot-starting service. The behavior is disclosed and service management/removal commands are provided.
Skill content
Register ZettaBrain as a background service ... ZettaBrain registers a background service so the web GUI auto-starts on boot.
Recommendation
Disable or remove the service if you only want to run ZettaBrain manually.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running these commands will permanently remove the local vector index and ingestion log, requiring re-ingestion to restore them.
Why it was flagged
The documentation includes destructive deletion commands. They are scoped to the skill's own vector index and ingestion log and appear under a user-directed deletion section.
Skill content
rm -rf /opt/zettabrain/src/zettabrain_vectorstore rm -f /opt/zettabrain/src/ingested_files.json
Recommendation
Use the deletion commands only when you intentionally want to reset or remove the indexed document data.