ClawHub
Back to skill

Security audit

Everything-Search-Skill

Security checks across malware telemetry and agentic risk

Overview

This local file-search skill is understandable in purpose, but it can automatically start local programs and search file paths with too little user control.

Install only if you want an agent to perform local filename/path searches through Everything on Windows or WSL. Verify the real Everything.exe and es.exe locations yourself, avoid relying on PATH or environment-variable overrides, and expect the skill to create path.env and possibly start Everything in the background.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        if is_wsl():
            # WSL 环境:直接执行 /mnt/c/.../Everything.exe
            subprocess.Popen(
                [everything_exe, "-startup"],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
            )
Confidence
90% confidence
Finding
subprocess.Popen( [everything_exe, "-startup"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 测试 es.exe 是否可运行
    if os.path.isfile(es_path):
        try:
            result = subprocess.run(
                [es_path, "-version"],
                capture_output=True,
                text=True,
Confidence
93% confidence
Finding
result = subprocess.run( [es_path, "-version"], capture_output=True, text=True, encoding="utf-8", errors="re

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
        elif sys.platform == 'win32':
            # Windows 原生环境
            subprocess.Popen(
                [everything_exe, "-startup"],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                creationflags=subprocess.CREATE_NO_WINDOW
Confidence
90% confidence
Finding
subprocess.Popen( [everything_exe, "-startup"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, creationflags=subprocess.CREATE_NO_WIN

Tainted flow: 'everything_exe' from os.environ.get (line 396, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
try:
        if is_wsl():
            # WSL 环境:直接执行 /mnt/c/.../Everything.exe
            subprocess.Popen(
                [everything_exe, "-startup"],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
            )
Confidence
97% confidence
Finding
subprocess.Popen( [everything_exe, "-startup"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

Tainted flow: 'es_path' from os.environ.get (line 145, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 测试 es.exe 是否可运行
    if os.path.isfile(es_path):
        try:
            result = subprocess.run(
                [es_path, "-version"],
                capture_output=True,
                text=True,
Confidence
97% confidence
Finding
result = subprocess.run( [es_path, "-version"], capture_output=True, text=True, encoding="utf-8", errors="re

Tainted flow: 'everything_exe' from os.environ.get (line 396, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
)
        elif sys.platform == 'win32':
            # Windows 原生环境
            subprocess.Popen(
                [everything_exe, "-startup"],
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
                creationflags=subprocess.CREATE_NO_WINDOW
Confidence
97% confidence
Finding
subprocess.Popen( [everything_exe, "-startup"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, creationflags=subprocess.CREATE_NO_WIN

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes and demonstrates capabilities that can invoke local scripts, search the filesystem, write configuration/path data, and launch local processes, but it declares no explicit permissions. This creates a transparency and policy-enforcement gap: an agent or platform may authorize the skill with fewer guardrails than its actual behavior requires, increasing the risk of unintended file-system enumeration or process execution.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill claims to perform local file search, but the main flow also auto-discovers/install-configures dependencies and persists executable paths to disk via path.env. That broadens the capability beyond a read-only search tool and introduces unexpected state changes on the host, which is risky in an agent setting because users may not realize the tool modifies configuration.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
When Everything is not running, the script automatically starts a background process rather than limiting itself to querying an existing local index. In an agent context, silently spawning background software is broader than the stated purpose and can surprise users, alter system state, and create persistence-like operational concerns.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition is broad enough to match very common user intents such as finding or locating files, which makes accidental invocation likely. In a skill that can execute local tools and enumerate filesystem metadata, over-triggering can expose file names and paths beyond what the user explicitly intended to disclose.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The markdown trigger guidance lists broad applicability but does not define concrete invocation constraints, approval boundaries, or sensitivity checks. Because this skill operates on local file metadata and may auto-start supporting software, vague trigger rules increase the chance of unintentional activation and privacy-impacting enumeration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script starts Everything.exe in the background automatically, including from discover_and_configure paths that may be triggered non-interactively. While not inherently malicious, silent process launch reduces user awareness and compounds the risk of executing a spoofed binary if path resolution is compromised.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal