ClawHub
Back to skill

Security audit

egatee-china-search

Security checks across malware telemetry and agentic risk

Overview

This Egatee search skill is mostly coherent, but it needs Review because it can fetch arbitrary image URLs and store broad RFQ, contact, chat, and payload data in MySQL.

Install only if you trust the Egatee endpoints and the configured MySQL database. Do not pass internal or private-network image URLs, use narrowly scoped database credentials, and require explicit user confirmation before calling save_rfq or storing phone numbers, addresses, chat history, source payloads, or API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'image_url' from os.getenv (line 597, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
if not (image_url.startswith("http://") or image_url.startswith("https://")):
            raise ValueError("image_url must start with http:// or https://")

        download_resp = requests.get(image_url, timeout=30)
        download_resp.raise_for_status()
        content_type = download_resp.headers.get("content-type", "").lower()
        ext = ".jpg"
Confidence
98% confidence
Finding
download_resp = requests.get(image_url, timeout=30)

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The skill is presented primarily as a product search capability but also contains RFQ persistence and database-writing behavior. Hidden or weakly disclosed side effects increase the risk of unauthorized data collection and operational surprise, especially when downstream agents may invoke the skill assuming it is read-only.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The RFQ extraction and persistence paths collect and store extensive procurement and conversation data, including chat history, contact information, delivery address, selected items, and full source payloads. That exceeds core search functionality and materially increases privacy, retention, and breach impact if the database is exposed or the feature is invoked without clear authorization.

Missing User Warnings

High
Confidence
97% confidence
Finding
The save_rfq path writes sensitive user and conversation-derived data to MySQL without any built-in confirmation, consent check, or user-facing disclosure. This creates a meaningful privacy and compliance risk because addresses, phone numbers, chat history, and full payload snapshots may be persisted silently.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When given an image URL, the skill downloads the image and forwards it to an external search service without built-in disclosure or confirmation. Beyond privacy concerns, this can unexpectedly cause third-party data transfer of user-referenced content and compounds the SSRF risk in this code path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This integration test persists full request payloads and raw results to a timestamped JSON file, which can include user queries, image URLs, metadata, and potentially API keys or other sensitive business data returned by the backend. In this skill's context, the script directly exercises production-like search and backend APIs, so storing complete transcripts and outputs on disk increases the risk of unintended retention, local disclosure, accidental commits, or leakage through shared artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal