ClawHub

smart-search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web-search routing skill that sends queries to search providers and keeps local search logs, so it is privacy-sensitive but not deceptive or purpose-mismatched.

Install only if you are comfortable sending search queries to Gemini, Brave, and web_fetch search engines, and retaining local plaintext logs for up to 30 days. Do not use it for secrets, credentials, regulated data, or confidential business queries unless you control and protect the OpenClaw shared workspace logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The top-level description says the skill performs intelligent search routing but omits that it persistently logs all searches and retains logs for 30 days. This is a disclosure flaw because users and reviewers are not informed, at the point of installation or approval, that query contents and summaries will be stored on disk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance is so broad that agents may call this skill for nearly any up-to-date information request, increasing unintended transmission of prompts and user data to third-party providers and local logs. In this skill's context, that over-broad trigger surface is more dangerous because every search is externally routed and recorded, amplifying privacy and data-minimization risks.

Missing User Warnings

High
Confidence
92% confidence
Finding
Manual/chat searches are sent to external web providers and scraping engines, but this is not clearly surfaced as a user-facing warning where the skill is introduced. In context, that matters because chat users may assume local processing, while the skill can disclose their prompts to Google, Bing, DuckDuckGo, Brave, or Gemini depending on routing and fallback behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Manual/chat searches are sent to external web providers and scraping engines, but this is not clearly surfaced as a user-facing warning where the skill is introduced. In context, that matters because chat users may assume local processing, while the skill can disclose their prompts to Google, Bing, DuckDuckGo, Brave, or Gemini depending on routing and fallback behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill logs full user queries and response summaries to local JSONL files without minimization, opt-in, or disclosure. Search queries often contain sensitive business, personal, or investigative context, so persistent logging can create a secondary data exposure path to other local users, processes, backups, or later compromise of the host.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill logs searches in plain language and includes both user queries and response summaries, creating a natural-language data leakage channel. Because this skill is intended for broad web-search usage, it is reasonably likely to capture sensitive personal, financial, operational, or proprietary information that can later be exposed through filesystem access, backups, or support workflows.

Ssd 3

Medium
Confidence
97% confidence
Finding
The documented log schema explicitly stores raw query text and response summaries in daily JSONL files, which is a concrete data exposure issue rather than a hypothetical one. In this skill's context, the danger is elevated because the tool is meant for general web lookups, so users may enter confidential requests that become durable local artifacts for 30 days.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal