Is metatronsdoob369/hk101-living-rag safe?

https://github.com/openclaw/skills/tree/main/skills/metatronsdoob369/hk101-living-rag

97
SAFE

This skill implements a simple RAG (Retrieval Augmented Generation) system for querying local documents using OpenAI's API. The code appears legitimate with standard functionality and no malicious behavior detected during installation.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (1)

MEDIUM Configurable file access parameter -10

The docsPath parameter allows users to specify arbitrary directories for document access. While this is legitimate functionality for a RAG system, it could potentially be used to read sensitive files if users specify inappropriate paths or use path traversal techniques.