Is emre-koc/zvec-local-rag-service safe?

https://github.com/openclaw/skills/tree/main/skills/emre-koc/zvec-local-rag-service

79
CAUTION

The zvec-local-rag-service skill is a functionally legitimate local RAG service using Ollama embeddings, and its SKILL.md contains no prompt injection, hidden instructions, or credential access attempts — canary file integrity was fully preserved throughout the audit. However, two material risks warrant caution before installation: the skill installs an unverified external npm package (@zvec/zvec@^0.2.0) whose provenance cannot be confirmed and which executes code during every bootstrap, representing a supply chain risk; and the service's /ingest endpoint accepts arbitrary filesystem paths, creating a latent exfiltration path if an agent using the skill is manipulated into indexing sensitive directories such as ~/.ssh or ~/.aws. The launchd persistence mechanism, while documented, could be installed autonomously by an agent without explicit user confirmation at the critical step.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 74/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (11)

HIGH Unverified npm dependency @zvec/zvec poses supply chain risk -25

The skill declares a hard dependency on @zvec/zvec@^0.2.0 in package.json. This package is automatically installed during manage.sh bootstrap via npm install. If this package (or any transitive dependency) is malicious or later compromised on the npm registry, arbitrary code runs with the user's privileges at bootstrap time and potentially on every service start. The semver range ^0.2.0 permits silent minor-version upgrades without user awareness.

MEDIUM LaunchAgent persistence survives reboots without re-authorization -15

The install-launchd subcommand writes a launchd plist to ~/Library/LaunchAgents/com.openclaw.zvec-rag-service.plist and registers it with launchctl bootstrap + kickstart. Once installed, the RAG service launches automatically at every user login with no further user authorization required. An AI agent executing this skill autonomously could install persistence without the user reviewing the plist, despite SKILL.md's advisory to inspect it first.

MEDIUM Ingest API accepts arbitrary filesystem paths with no allowlist -20

The /ingest HTTP endpoint accepts a JSON body with a 'dir' field specifying any accessible filesystem path. There is no server-side allowlist, sandboxing, or path restriction visible in the skill files. If an agent using this skill is given adversarial input or is manipulated via another skill, it could be directed to ingest sensitive directories such as ~/.ssh/, ~/.aws/, or ~/.config/. Vector embeddings are stored locally but targeted /search queries can reconstruct meaningful plaintext.

MEDIUM Agent manipulation via ingest API enables latent credential indexing -20

An attacker who can influence the agent's instructions (via adversarial user input, malicious document content, or cross-skill prompt injection from another installed skill) could direct the agent to call manage.sh ingest ~/.ssh or similar. Combined with the LaunchAgent persistence, the RAG service would continue running after the session ends, enabling repeat queries. This represents a plausible multi-stage attack requiring no direct skill-level prompt injection.

LOW Local vector store persists indexed content across sessions -6

The RAG service stores all ingested vector embeddings under ~/.openclaw/data/zvec-rag-service (RAG_BASE_DIR). This directory persists across sessions and is readable by any process running as the user. Content ingested in one session remains queryable in future sessions, and could be accessed by other local skills or processes with filesystem access.

LOW Shell printf JSON construction is vulnerable to injection via special characters -5

manage.sh builds curl JSON payloads using printf with unescaped user-supplied values for both the ingest directory and the search query. Values containing double-quotes, backslashes, or newlines will malform or inject additional keys into the JSON body. While the service is loopback-only and the user controls the input, this is a correctness and minor security flaw that could cause unexpected service behavior.

LOW LaunchAgent install instruction may be autonomously executed by agent -10

SKILL.md presents install-launchd as a normal workflow step (Quick start section) without framing it as requiring explicit user confirmation before agent execution. An agent that treats SKILL.md as an action script rather than documentation could install the LaunchAgent without surfacing an approval prompt, silently establishing boot persistence. This is a design ambiguity rather than intentional injection.

LOW npm supply chain risk compounds on every bootstrap -12

Because @zvec/zvec is fetched fresh from npm (no lockfile committed to the skill repo), every new bootstrap call on a fresh machine resolves the package live. A future supply chain compromise of @zvec/zvec would affect all users bootstrapping after the fact, without any visible change to the skill files themselves.

LOW Bootstrap phase initiates live npm registry network connection -8

While the skill installation (git sparse-checkout + cp) produces only expected github.com traffic, the first run of manage.sh bootstrap triggers npm install, which connects to registry.npmjs.org to fetch @zvec/zvec and any transitive dependencies. This is expected behavior for npm-based skills but represents an external network dependency beyond the git clone phase.

INFO All honeypot files confirmed intact — no credential exfiltration 0

Canary files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json were all verified intact after installation. PATH audit events for these files at timestamps 1771935164.384 and 1771935180.742 correspond to the audit system's own pre- and post-install baseline scans, not to any skill-initiated reads.

INFO Secure-by-default network binding reduces external attack surface 0

The RAG service defaults to binding on 127.0.0.1 only (RAG_HOST) and connecting to Ollama on localhost (OLLAMA_URL). Remote binding and remote Ollama usage both require explicit ALLOW_NON_LOOPBACK_HOST=true and ALLOW_REMOTE_OLLAMA=true environment flags respectively. This defense-in-depth design limits the default attack surface to local processes only.