Skip to content
ai-supply.store
DiscoverCategoriesLeaderboardsCommunityAgent APIFAQ
Sign inSign up free
catalog / Language & NLP / RAGFlow
⬡PipelineLanguage & NLPFree

RAGFlow

Open-source RAG engine built on deep document understanding, grounding LLM answers with traceable citations.

@ai-supply
Installs224
⟳ upstream v0.26.3 · updated 3d ago
↗ Source repository
← More Language & NLPLanguage & NLP leaderboard →How we grade security →Source ↗

RAGFlow

RAGFlow is a leading open-source Retrieval-Augmented Generation engine built around deep document understanding. It ingests complex, unstructured documents, chunks them intelligently, and grounds LLM answers with citations you can trace back to the source — reducing hallucinations in question-answering over private knowledge.

Key features

  • Deep document parsing (PDF, DOCX, tables, figures, scanned pages) with layout awareness
  • Template-based, explainable chunking with citations back to the original document
  • Agentic RAG, knowledge-graph extraction, and multi-recall retrieval
  • Compatible with many LLMs and embedding models; REST API plus a web UI
  • One-command Docker Compose deployment

Usage note: launch the stack with the provided Docker Compose file, upload a knowledge base, and query it through the web UI or the HTTP API to get cited answers.

Curated mirror of the open-source RAGFlow (Apache-2.0). Get it from the source.

Rating rank
#2
of 39 in Language & NLP
Install rank
#38
of 39 in Language & NLP
Security score
16/100 · D
review
Security rank
#26
of 39 in Language & NLP
Installs
224
cat avg 262k
This listing vs category average
Installs
this
cat avg
Security (of 100)
this
cat avg
Adoption trend
See the Language & NLP leaderboard →
! Security: Review · 1616/100 · grade Dscanned 1h ago

Only compromise signals — malicious or tampered code (leaked secrets, backdoors, path traversal, a dropped executable) — reduce the score. Dangerous-by-capability traits (shell, network, injection strings, pickle) are shown as risk surface: expected for some capabilities — a security tool ships offensive code on purpose — so they do not sink the grade.

Compromise signals
Embedded credentialshighinfiniflow-ragflow-8b065d3/admin/client/parser.py
found: hardcoded credential
Embedded credentialshighinfiniflow-ragflow-8b065d3/conf/private.pem
found: private key
What this capability can do · med confidence (static)
⚑ filesystem⚑ shell⚑ network⚑ secrets
egress → www.apache.org, schemas.openxmlformats.org, help.aliyun.com, api.aliyun.com, [\w\.]+, bgpt.pro, {settings.sandbox_host}, api.github.com +15
Risk surface (67)
Path traversal sequencesmediuminfiniflow-ragflow-8b065d3/.agents/skills/go-naming/SKILL.md
'../' present in content or name
External endpoints declaredlowinfiniflow-ragflow-8b065d3/.github/ISSUE_TEMPLATE/agent_scenario_request.yml
1 distinct host(s)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/.github/copilot-instructions.md
raw IP URL (1 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/.github/copilot-instructions.md
127.0.0.1
Broad capability surfacelowinfiniflow-ragflow-8b065d3/.github/workflows/release.yml
3 high-impact capability categories referenced — verify least-privilege
External endpoints declaredlowinfiniflow-ragflow-8b065d3/.github/workflows/release.yml
2 distinct host(s)
Internal host / private infrastructure referencemediuminfiniflow-ragflow-8b065d3/.github/workflows/sep-tests.yml
shipped content references a private IP range or internal-only host
External endpoints declaredlowinfiniflow-ragflow-8b065d3/.github/workflows/sep-tests.yml
3 distinct host(s)
External endpoints declaredlowinfiniflow-ragflow-8b065d3/.gitignore
7 distinct host(s)
Suspicious code patternshighinfiniflow-ragflow-8b065d3/Dockerfile
destructive rm -rf /; pipe-to-shell install
External endpoints declaredlowinfiniflow-ragflow-8b065d3/Dockerfile
9 distinct host(s)
Suspicious code patternshighinfiniflow-ragflow-8b065d3/Dockerfile.scratch.oc9
pipe-to-shell install
Suspicious code patternshighinfiniflow-ragflow-8b065d3/Dockerfile_deepdoc_oss
destructive rm -rf /
External endpoints declaredlowinfiniflow-ragflow-8b065d3/Dockerfile_deepdoc_oss
4 distinct host(s)
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/README.md
15 distinct host(s)
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/README_tzh.md
suspicious TLD (68 URLs)
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/README_tzh.md
17 distinct host(s)
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/SECURITY.md
pickle deserialization
Potentially unbounded loopmediuminfiniflow-ragflow-8b065d3/admin/client/ragflow_cli.py
an infinite loop (while True / while(1) / for(;;)) may cause runaway consumption
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/agent/sandbox/executor_manager/Dockerfile
suspicious TLD (4 URLs)
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/agent/sandbox/executor_manager/services/execution.py
dynamic code execution
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/agent/sandbox/executor_manager/services/security.py
child_process exec; dynamic code execution
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/agent/sandbox/providers/local.py
OS command execution
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/agent/sandbox/pyproject.toml
suspicious TLD (1 URLs)
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/agent/sandbox/sandbox_base_image/python/Dockerfile
suspicious TLD (3 URLs)
External endpoints declaredlowinfiniflow-ragflow-8b065d3/agent/sandbox/sandbox_spec.md
8 distinct host(s)
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/agent/sandbox/tests/sandbox_security_tests_full.py
OS command execution; dynamic code execution
Possible obfuscationmediuminfiniflow-ragflow-8b065d3/agent/templates/advanced_ingestion_pipeline.json
very long lines
Possible obfuscationmediuminfiniflow-ragflow-8b065d3/agent/templates/text2sql_data_expert.json
large base64 blob
Zero-width characterslowinfiniflow-ragflow-8b065d3/agent/templates/trip_planner.json
9 hidden characters
External endpoints declaredlowinfiniflow-ragflow-8b065d3/api/channels/whatsapp/gateway-node/package-lock.json
6 distinct host(s)
Suspicious code patternsmediuminfiniflow-ragflow-8b065d3/api/db/services/compilation_template_service.py
unsafe yaml.load
Prompt-injection phrasinghighexpected for this capabilityinfiniflow-ragflow-8b065d3/common/data_source/rest_api_connector.py
instruction-subversion language detected
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/common/data_source/webdav_connector.py
raw IP URL (2 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/common/data_source/webdav_connector.py
172.17.0.1
Broad capability surfacelowinfiniflow-ragflow-8b065d3/common/settings.py
4 high-impact capability categories referenced — verify least-privilege
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/conf/llm_factories.json
suspicious TLD (22 URLs)
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/conf/llm_factories.json
22 distinct host(s)
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/conf/models/astraflow.json
suspicious TLD (2 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docker/README.md
raw IP URL (5 URLs)
External endpoints declaredlowinfiniflow-ragflow-8b065d3/docker/README.md
5 distinct host(s)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docker/docker-compose.yml
raw IP URL (6 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docker/entrypoint.sh
raw IP URL, suspicious TLD (3 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docker/nginx/ragflow.conf.golang
raw IP URL (3 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docker/nginx/ragflow.conf.hybrid
raw IP URL (12 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docs/administrator/configurations/configurations.md
raw IP URL (23 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docs/develop/mcp/launch_mcp_server.md
raw IP URL (18 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/docs/develop/mcp/launch_mcp_server.md
127.0.0.1, 0.0.0.0, 172.19.0.6
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docs/develop/mcp/mcp_client_example.md
raw IP URL (14 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docs/faq.mdx
raw IP URL (41 URLs)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/docs/guides/models/deploy_local_llm.mdx
raw IP URL (29 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/docs/guides/models/deploy_local_llm.mdx
0.0.0.0
External endpoints declaredlowinfiniflow-ragflow-8b065d3/docs/guides/models/deploy_local_llm.mdx
10 distinct host(s)
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/docs/guides/models/supported_models.mdx
suspicious TLD (56 URLs)
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/docs/guides/models/supported_models.mdx
55 distinct host(s)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/internal/agent/component/invoke_test.go
raw IP URL (11 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/internal/agent/component/invoke_test.go
169.254.169.254, 127.0.0.1
Embedded credentialshighexpected for this capabilityinfiniflow-ragflow-8b065d3/internal/agent/tool/exesql_trino_test.go
found: credentials in URL, hardcoded credential
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/internal/agent/tool/keenable_test.go
raw IP URL (21 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/internal/agent/tool/keenable_test.go
127.0.0.1, [::1]
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/internal/agent/tool/keenable_test.go
12 distinct host(s)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/internal/agent/tool/ssrf_test.go
raw IP URL (32 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/internal/agent/tool/ssrf_test.go
127.0.0.1, [::1], 0.0.0.0, [::], 10.0.0.1, 192.168.1.1, 172.16.0.1, 169.254.169.254, [fe80::1], 224.0.0.1
External endpoints declaredmediuminfiniflow-ragflow-8b065d3/internal/agent/tool/ssrf_test.go
21 distinct host(s)
Suspicious network referencesmediuminfiniflow-ragflow-8b065d3/internal/development.md
raw IP URL, suspicious TLD (8 URLs)
Egress to a private/loopback hosthighinfiniflow-ragflow-8b065d3/internal/development.md
192.168.1.96
Suspicious network referenceslowinfiniflow-ragflow-8b065d3/internal/entity/models/302ai_test.go
suspicious TLD (19 URLs)
✔ verified source · pinned infiniflow-ragflow-8b065d3 · changed since last scan · +egress www.apache.org, schemas.openxmlformats.org, help.aliyun.com, api.aliyun.com, [\w\.]+, bgpt.pro, {settings.sandbox_host}, api.github.com, open-data-api.jin10.com, api.keenable.ai, pubmed.ncbi.nlm.nih.gov, geoapi.qweather.com, api.qweather.com, devapi.qweather.com, api.tushare.pro, api.siliconflow.com, dashscope-intl.aliyuncs.com, api.dingtalk.com, api.sgroup.qq.com, bots.qq.com, qyapi.weixin.qq.com, ${req.headers.host, docs.peewee-orm.com
OWASP AI control mapping
5passed
10flagged
0runtime-enforced
5governance

Evaluated against the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10. Expand any control to see the findings.

OWASP Top 10 for LLM Applications
⚠LLM01Prompt Injectionhigh
Adversarial instructions embedded in an artifact that hijack a downstream LLM.
•Zero-width characters — 9 hidden characters
•Prompt-injection phrasing — instruction-subversion language detected (CWE-77)
⚠LLM02Sensitive Information Disclosurehigh
Secrets, credentials or PII shipped inside the artifact.
•Embedded credentials — found: hardcoded credential (CWE-798)
•Embedded credentials — found: private key (CWE-798)
•Embedded credentials — found: credentials in URL, hardcoded credential (CWE-798)
⚠LLM03Supply Chainlow
Vulnerable/compromised dependencies, models or archives in the artifact.
•Dependency manifest — 3 pip requirements declared
•Dependency manifest — 1 npm dependencies declared
•Dependency manifest — 4 pip requirements declared
•Dependency manifest — 2 npm dependencies declared
✓LLM04Data and Model PoisoningPassed
Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
⚠LLM05Improper Output Handlinghigh
Code that pipes model/user output into shell, eval, SQL or paths unsafely.
•Path traversal sequences — '../' present in content or name (CWE-22)
•Suspicious code patterns — destructive rm -rf /; pipe-to-shell install (CWE-78)
•Suspicious code patterns — pipe-to-shell install (CWE-494)
•Suspicious code patterns — destructive rm -rf / (CWE-78)
•Suspicious code patterns — pickle deserialization (CWE-502)
•Suspicious code patterns — dynamic code execution (CWE-95)
•Suspicious code patterns — child_process exec; dynamic code execution (CWE-78)
•Suspicious code patterns — OS command execution (CWE-78)
•Suspicious code patterns — OS command execution; dynamic code execution (CWE-78)
•Suspicious code patterns — unsafe yaml.load (CWE-502)
⚠LLM06Excessive Agencyhigh
Over-broad tool/permission surface or unrestricted egress.
•External endpoints declared — 1 distinct host(s)
•Egress to a private/loopback host — 127.0.0.1 (CWE-918)
•Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege (CWE-272)
•External endpoints declared — 2 distinct host(s)
•External endpoints declared — 3 distinct host(s)
•External endpoints declared — 7 distinct host(s)
•External endpoints declared — 9 distinct host(s)
•External endpoints declared — 4 distinct host(s)
•External endpoints declared — 15 distinct host(s)
•External endpoints declared — 17 distinct host(s)
•External endpoints declared — 8 distinct host(s)
•External endpoints declared — 6 distinct host(s)
•Egress to a private/loopback host — 172.17.0.1 (CWE-918)
•Broad capability surface — 4 high-impact capability categories referenced — verify least-privilege (CWE-272)
•External endpoints declared — 22 distinct host(s)
•External endpoints declared — 5 distinct host(s)
•Egress to a private/loopback host — 127.0.0.1, 0.0.0.0, 172.19.0.6 (CWE-918)
•Egress to a private/loopback host — 0.0.0.0 (CWE-918)
•External endpoints declared — 10 distinct host(s)
•External endpoints declared — 55 distinct host(s)
•Egress to a private/loopback host — 169.254.169.254, 127.0.0.1 (CWE-918)
•Egress to a private/loopback host — 127.0.0.1, [::1] (CWE-918)
•External endpoints declared — 12 distinct host(s)
•Egress to a private/loopback host — 127.0.0.1, [::1], 0.0.0.0, [::], 10.0.0.1, 192.168.1.1, 172.16.0.1, 169.254.169.254, [fe80::1], 224.0.0.1 (CWE-918)
•External endpoints declared — 21 distinct host(s)
•Egress to a private/loopback host — 192.168.1.96 (CWE-918)
⚠LLM07System Prompt Leakagehigh
Secrets, internal hosts or proprietary logic exposed in shipped prompts.
•Internal host / private infrastructure reference — shipped content references a private IP range or internal-only host (CWE-200)
•Embedded credentials — found: hardcoded credential (CWE-798)
•Embedded credentials — found: private key (CWE-798)
•Embedded credentials — found: credentials in URL, hardcoded credential (CWE-798)
✓LLM08Vector and Embedding WeaknessesPassed
PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
§LLM09MisinformationGovernance
Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
⚠LLM10Unbounded Consumptionmedium
Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
•Potentially unbounded loop — an infinite loop (while True / while(1) / for(;;)) may cause runaway consumption (CWE-835)
OWASP Machine Learning Security Top 10
§ML01Input Manipulation (Adversarial)Governance
Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
⚠ML02Data Poisoninghigh
Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
•Prompt-injection phrasing — instruction-subversion language detected (CWE-77)
§ML03Model InversionGovernance
Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ML04Membership InferenceGovernance
Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
✓ML05Model TheftPassed
Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
⚠ML06AI Supply Chainlow
Compromised PyPI/npm packages, typosquats, unsafe serialized models.
•Dependency manifest — 3 pip requirements declared
•Dependency manifest — 1 npm dependencies declared
•Dependency manifest — 4 pip requirements declared
•Dependency manifest — 2 npm dependencies declared
✓ML07Transfer Learning AttackPassed
Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
§ML08Model SkewingGovernance
Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
⚠ML09Output Integrityhigh
Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
•Path traversal sequences — '../' present in content or name (CWE-22)
•Suspicious code patterns — destructive rm -rf /; pipe-to-shell install (CWE-78)
•Suspicious code patterns — pipe-to-shell install (CWE-494)
•Suspicious code patterns — destructive rm -rf / (CWE-78)
•Suspicious code patterns — pickle deserialization (CWE-502)
•Suspicious code patterns — dynamic code execution (CWE-95)
•Suspicious code patterns — child_process exec; dynamic code execution (CWE-78)
•Suspicious code patterns — OS command execution (CWE-78)
•Suspicious code patterns — OS command execution; dynamic code execution (CWE-78)
•Suspicious code patterns — unsafe yaml.load (CWE-502)
✓ML10Model Poisoning (Weights)Passed
Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.

Consume RAGFlow programmatically. Authenticate with an API key or session — see Authorize an agent.

# Agents: CHECK BEFORE YOU INSTALL (no auth) — score, grade, level, capability manifest
curl https://ai-supply.store/api/v1/trust/ragflow-rag-engine

# Gate against your org policy (returns { pass, violations })
curl -X POST https://ai-supply.store/api/v1/trust/ragflow-rag-engine/check \
  -H "Content-Type: application/json" \
  -d '{"minGrade":"B","denyPermissions":["shell"],"denyUnknownEgress":true}'

# CLI
npx ai-supply add ragflow-rag-engine

# REST (install → download)
curl -X POST https://ai-supply.store/api/v1/listings/ragflow-rag-engine/install \
  -H "Authorization: Bearer $AIM_KEY"

# MCP tool
install_listing({ "slug": "ragflow-rag-engine" })
OpenAPI spec →
vlatest
! Security: Review · 162d ago

Curated mirror — latest upstream source. See the repository for tagged releases.

Sign in and install this listing to leave a review.

More from @ai-supply

View profile →
◉Agent
MetaGPT
Multi-agent framework that assigns GPT roles (PM, engineer, QA) to solve complex software tasks end-to-end.
↓ 1.0M
◐Model
llama.cpp
Pure C/C++ LLM inference library — run quantized models on CPU, Metal, CUDA and more.
↓ 1.0M★ 4.5
⇄Connector
vLLM
High-throughput, memory-efficient LLM inference engine with PagedAttention and continuous batching.
↓ 892k
⇄Connector
Meilisearch
Lightning-fast open-source search engine with typo-tolerance, semantic hybrid search, and sub-50ms response times.
↓ 811k
ai-supply.store

Free, security-vetted AI capabilities — skills, MCPs, plugins, agents, datasets and more, each graded and freshness-tracked, and built for humans and agents alike.

api · v3.1status · all green
Contact
support@ai-supply.storesecurity@ai-supply.store
Catalog
  • Discover
  • Categories
  • Leaderboards
  • Benchmarks
  • Security
Community
  • Community
  • FAQ
For agents
  • Quickstart (60s)
  • Authorize an agent
  • Agent API
  • OpenAPI spec
For builders
  • Publish
  • Dashboard
Account
  • Create account
  • Sign in
  • Settings
Legal
  • Terms
  • Publisher Agreement
  • Acceptable Use
  • Privacy