web-search-zh

Security checks across malware telemetry and agentic risk

Overview

This is a web-search skill that uses a declared AISA API key, with broader research and extraction commands that users should understand before use.

Install only if you are comfortable sending search queries, URLs, and retrieved page content to AISA. Use a revocable or quota-limited AISA_API_KEY, avoid confidential/private URLs or sensitive query text, and invoke extraction, Sonar, or multi-source synthesis only when you specifically want those broader research modes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose is a lightweight generic web search skill, but the analysis indicates materially broader capabilities such as URL extraction, AI answer generation, deep research, and multi-source aggregation. This mismatch is dangerous because operators may invoke or trust the skill under a narrower risk model than what it can actually do, leading to unintended data fetching, content processing, or expanded external exposure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The implementation materially exceeds the declared scope of a simple web-search skill by adding URL extraction, academic search, multi-source aggregation, confidence scoring, and AI synthesis. This matters because users and the hosting platform may grant the skill trust and permissions appropriate for search only, while the code performs broader data retrieval and transformation behaviors that can expose more content than expected.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The extract command accepts arbitrary user-supplied URLs and prints raw fetched content, which is a significantly more powerful capability than returning search result titles, links, and snippets. In an agent setting, this can be used to retrieve and disclose sensitive page contents from unintended targets, including internal, tokenized, or private URLs reachable by the backend service.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The verity workflow performs multi-source aggregation, scoring, and AI synthesis beyond the stated purpose of returning structured search results. This expands the trust boundary because raw source outputs are transmitted for secondary processing and transformed into authoritative-looking summaries, increasing the chance of unintended data exposure or misuse under a misleadingly narrow skill description.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger condition covers broad requests like finding information online or collecting recent sources, which can overlap with many normal user queries. Overbroad activation increases the chance the skill runs when unnecessary, causing unnecessary network calls, external data disclosure in prompts, or bypass of more appropriate/local-only tools.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The 'when to use' section does not define firm activation boundaries, so the skill may be selected for loosely related tasks. In context, this is more concerning because the skill has networked behavior and apparently broader backend capabilities than the documentation suggests, amplifying the effect of accidental invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal