中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 22/100
Last scan:1 day ago Rescan
22 /100
lookupmark-local-rag
Semantic search over local files using all-MiniLM-L6-v2 embeddings and ms-marco-MiniLM-L-6-v2 cross-encoder reranking with ChromaDB and parent-child chunking
A legitimate local document indexing and search tool with well-defined security boundaries, though it uses undocumented shell commands for dependency installation and monitoring.
Skill Namelookupmark-local-rag
Duration59.6s
Enginepi
Safe to install
Approve for use with standard sandboxing. Declare subprocess usage in SKILL.md and fix the documentation mismatch on supported file types.

Findings 3 items

Severity Finding Location
Low
Subprocess usage not declared in SKILL.md Doc Mismatch
index.py runs 'uv pip install' via subprocess when python-docx is missing (line ~94-98). monitor.py runs 'ps aux', 'git log', 'du' via subprocess (lines ~48, ~78, ~88). Neither is declared in the Security section or anywhere in SKILL.md.
subprocess.check_call(['uv', 'pip', 'install', '-p', sys.executable, 'python-docx'])
→ Add 'subprocess' to the declared capabilities in SKILL.md with a note that it is used for on-demand dependency installation and system monitoring tools.
 scripts/index.py:96
Low
Supported file type mismatch between docs and code Doc Mismatch
SKILL.md states the skill only processes documents and explicitly excludes code files (.py, .js, .sh, .ipynb, .html, .css), yet index.py includes .html, .css, and .xml in TEXT_EXTENSIONS. While these are not malicious, the mismatch is a documentation inaccuracy.
TEXT_EXTENSIONS = { ".txt", ".md", ".rst", ".csv", ".tsv", ".yaml", ".yml", ".json", ".toml", ".cfg", ".ini", ".xml", ".html", ".css", ".tex", ".bib", ".log" }
→ Align TEXT_EXTENSIONS with SKILL.md documentation, or update SKILL.md to correctly list all supported extensions including .html, .css, .xml.
 scripts/index.py:51
Low
Unpinned dependency (index-batch.sh: uv pip install) Supply Chain
index.py runs 'uv pip install python-docx' without a version pin. If python-docx publishes a malicious update, it could be pulled. However this only triggers on ImportError, making opportunistic injection difficult.
subprocess.check_call(['uv', 'pip', 'install', '-p', sys.executable, 'python-docx'])
→ Pin to a known-safe version: 'python-docx==0.8.11' or similar, or document why unpinned is acceptable in this context.
 scripts/index.py:96
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md: 'Optimized for low-RAM ARM devices' — file writes are to ~/.local/shar…
Network READ READ ✓ Aligned Downloads sentence-transformer models from HuggingFace; all model downloads are …
Shell NONE WRITE ✗ Violation scripts/index.py:96 subprocess.check_call(['uv', 'pip', 'install', ...]); script…

File Tree

6 files · 31.5 KB · 962 lines
Python 3f · 671L Shell 1f · 157L Markdown 1f · 129L JSON 1f · 5L
├─ 📁 scripts
│ ├─ 🔧 index-batch.sh Shell 157L · 4.2 KB
│ ├─ 🐍 index.py Python 302L · 10.3 KB
│ ├─ 🐍 monitor.py Python 194L · 6.1 KB
│ └─ 🐍 query.py Python 175L · 5.8 KB
├─ 📋 _meta.json JSON 5L · 139 B
└─ 📝 SKILL.md Markdown 129L · 5.0 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
chromadb * pip No Version not pinned — indirect dependency via requirements
sentence-transformers * pip No Version not pinned — core dependency
python-docx * pip No Version not pinned; installed on-demand by index.py

Security Positives

✓ Security boundaries are well-implemented: ALLOWED_ROOTS restrict indexing to ~/Documenti and ~/Scaricati only
✓ BLOCKED_PATTERNS explicitly exclude .ssh, .gnupg, .env, credentials, tokens, and .config/openclaw
✓ File hash checking (SHA-256) prevents re-indexing unchanged files — no data duplication risk
✓ No hardcoded credentials, API keys, or secrets anywhere in the codebase
✓ No base64, eval, or obfuscation patterns present
✓ No external network calls except to HuggingFace for model downloads (legitimate and declared)
✓ No C2, reverse shell, or data exfiltration behavior observed
✓ Git-based rollback in index-batch.sh provides integrity protection against corruption
✓ OOM protection via SIGKILL detection and rollback is a responsible design choice for low-RAM devices
✓ Trustworthy purpose: local semantic document search with no outbound data transmission