ClawHub

Search Cluster

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-provider search skill with some configuration and privacy risks, but I did not find hidden, deceptive, destructive, or purpose-mismatched behavior.

Install this only if you are comfortable sending search terms to the listed external providers. Use restricted Google credentials, leave Redis disabled unless you want 24-hour result caching, and set SCRAPLING_PYTHON_PATH only to a trusted dedicated virtualenv Python binary with pinned dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not os.path.exists(SCRAPLING_PYTHON) or not os.path.exists(STEALTH_SCRIPT):
        return []
    try:
        result = subprocess.run([SCRAPLING_PYTHON, STEALTH_SCRIPT, query], capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            data = json.loads(result.stdout)
            for item in data:
Confidence
88% confidence
Finding
result = subprocess.run([SCRAPLING_PYTHON, STEALTH_SCRIPT, query], capture_output=True, text=True, timeout=30)

Tainted flow: 'SCRAPLING_PYTHON' from os.getenv (line 20, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if not os.path.exists(SCRAPLING_PYTHON) or not os.path.exists(STEALTH_SCRIPT):
        return []
    try:
        result = subprocess.run([SCRAPLING_PYTHON, STEALTH_SCRIPT, query], capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            data = json.loads(result.stdout)
            for item in data:
Confidence
95% confidence
Finding
result = subprocess.run([SCRAPLING_PYTHON, STEALTH_SCRIPT, query], capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and documents use of environment variables, network access, and subprocess/shell-like execution paths, yet no explicit permissions are declared. This creates a trust and governance gap: operators may approve or run the skill without understanding that it can access secrets, make outbound requests, and invoke external binaries, which increases the risk of unintended data exposure or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior does not fully match the operational behavior: the skill also performs DuckDuckGo scraping through a stealth fetcher and may use Redis caching, neither of which is clearly reflected in the declared purpose. Behavior mismatches are dangerous because they hide effective data flows and external dependencies from reviewers, making it easier for risky scraping, covert outbound access, or persistence/caching of sensitive queries to go unnoticed.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill's manifest describes a search aggregator, but the implementation delegates part of that behavior to an external script executed via subprocess. This expands the trusted code base and creates an opaque execution boundary that is more dangerous in an agent skill because users and reviewers cannot easily verify what the child script does.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User queries are sent to multiple third-party services, which can expose sensitive prompts, internal identifiers, or personal data if users search for them. In an agent setting this is more dangerous because the caller may assume local processing while the skill fans queries out to several external providers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends the user-supplied query to an external search engine without any disclosure, consent flow, or data-handling notice. Search queries often contain sensitive personal, business, or investigative information, so silent transmission can leak user intent and data to third parties, especially in an aggregated search skill where users may assume controlled or declared providers only.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal