ClawHub

web-search-aisa

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AISA search skill, but it advertises simple web search while the bundled client also supports URL extraction, deep-research/model queries, and AI synthesis through external endpoints.

Install only if you are comfortable with AISA receiving your search queries and any URLs you ask the skill to process, and with the client being able to use extraction and AI synthesis features in addition to basic web search. Avoid using it with private, internal, credential-bearing, or confidential URLs or prompts unless you trust AISA's handling of that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares required environment variables and uses a networked search client, but the metadata does not clearly declare permissions in a way that informs policy enforcement or review. This creates a transparency gap: users or orchestration systems may invoke a network-capable skill without an explicit permission model, increasing the chance of unintended data egress.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a simple web search tool returning titles, links, and snippets, but the detected behavior indicates broader capabilities including content extraction, model querying, multi-source aggregation, and AI synthesis. This mismatch is dangerous because users and calling agents may provide inputs under a lower-risk assumption, while the implementation can send data to additional services or perform richer processing than disclosed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a web-search skill returning structured titles, links, and snippets, but this code also supports arbitrary URL extraction and prints raw page content. That expands the data-access scope significantly and can expose users to unintended collection or disclosure of full page contents, including sensitive material present at supplied URLs.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The verity and synthesis flow goes beyond simple structured search by aggregating multiple sources, computing confidence, and calling an explanation endpoint to generate an AI summary. This increases the skill's effective capabilities and data sharing surface beyond what the manifest promises, which can mislead users and route retrieved content into additional model-processing steps.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown does not clearly warn users that their queries are transmitted to an external web search service. Without that disclosure, users may submit sensitive or regulated information, leading to unintended third-party data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper transmits user queries and user-supplied URLs to a third-party API without any built-in warning, consent prompt, or redaction step. If users enter confidential terms, internal URLs, or regulated data, that information is disclosed externally by design, which is risky for a search skill likely to be used interactively.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal