Is chenkun-nuaa/ck-rag-skill safe?

https://github.com/openclaw/skills/tree/main/skills/chenkun-nuaa/ck-rag-skill

56
CAUTION

This skill is a RAGFlow knowledge base query interface that forwards user questions to an external API server at a hardcoded internal IP address (172.28.20.46). It contains plaintext API credentials, creates an indirect prompt injection vector by instructing the agent to execute commands based on API responses, and is non-portable due to hardcoded paths. While no active malice was detected during installation and the code is transparent, the combination of data forwarding to an external server and the API-response-to-agent-action pipeline presents meaningful risk.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (9)

HIGH Hardcoded API credentials in plaintext -35

Both query_ragflow.py and quick_test.py contain hardcoded Authorization bearer token and session cookie in plaintext. These credentials are exposed to anyone who installs the skill and could be used to access the RAGFlow API or be leaked if the skill repo is forked.

HIGH User queries forwarded to external API server -30

Every user question processed by this skill is sent via HTTP POST to http://172.28.20.46:30001. The remote server receives and can log all queries, which may contain sensitive information from the user's conversation context. No content filtering or sanitization is applied before transmission.

HIGH Indirect prompt injection via API response → agent action pipeline -35

The skill instructs the agent to interpret RAGFlow API responses and translate them into executable commands or agent actions. Section '步骤5' and '扩展使用' explicitly tell the agent to suggest and execute commands based on API output. A compromised or malicious RAGFlow server could return responses containing instructions that manipulate the agent's behavior.

MEDIUM Skill instructs agent to execute shell commands -15

SKILL.md contains bash code blocks that instruct the agent to run python3 scripts via shell execution. While this is the skill's stated purpose, it grants the skill execution privileges on the host system.

MEDIUM Executable scripts making external HTTP requests -25

The skill contains Python and bash scripts that make HTTP POST requests to an external server. While the code is not obfuscated and appears to be a straightforward API client, the scripts execute network I/O to a hardcoded endpoint.

MEDIUM Shared conversation context via fixed conversation_id -10

All queries use the same hardcoded conversation_id (0e18393f0b6042f2bbf6b391c82835d1), meaning all users of this skill share a single conversation context on the RAGFlow server. Previous queries and answers from other users may leak into subsequent responses.

MEDIUM Hardcoded non-portable file paths -20

Scripts and SKILL.md reference absolute paths tied to a specific deployment (/home/onestack/.openclaw/workspace/ragflow-kb/). On any other system, these paths won't exist, causing failures. This indicates the skill was built for one environment and not properly generalized.

LOW Unencrypted HTTP for API communication -5

The API endpoint uses plain HTTP (not HTTPS), meaning all data including credentials and user queries are transmitted in cleartext and vulnerable to interception on the network.

INFO Clean installation with no suspicious activity -5

No unexpected filesystem changes, network connections, or process executions were detected during skill installation. All observed activity was standard system operations.