ClawHub

Anspire Search

Security checks across malware telemetry and agentic risk

Overview

This is a real web-search skill, but it pushes the agent to collect and permanently save your API key in local startup files.

Install only if you trust Anspire with your search queries and are comfortable managing an API key for it. Prefer setting ANSPIRE_API_KEY yourself using a secure secret manager or a temporary session variable; do not paste the full key into chat for the agent to save into shell startup files. Avoid the raw GitHub main-branch install method unless it is pinned to a reviewed revision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of environment variables, network access, and shell commands without declaring corresponding permissions. This creates a transparency and governance gap: users and the platform may not realize the skill can inspect env state, call external services, and modify shell configuration. In a skill that also solicits and stores secrets, undeclared capabilities materially increase risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation tells the agent to automatically persist a user-provided API key into shell startup files or Windows environment settings for future reuse. Persisting secrets on disk and modifying login profiles is not necessary to perform a one-time web search and creates lasting exposure if the host is shared, backed up, or later compromised. The danger is amplified because the instructions encourage automatic execution rather than informed, explicit user action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill expands from search functionality into executing shell commands that modify the user's environment and startup files. That broadens operational scope beyond the stated purpose and creates a path for unintended system changes, especially if the agent misdetects the shell, writes malformed content, or performs actions on the wrong host context. Any agent-directed profile mutation should be treated as sensitive behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims there is 'no setup beyond one env var,' but later mandates proactive persistent configuration and modification of startup files. This mismatch can mislead users about the degree of system access and permanence involved, reducing informed consent and making risky behavior seem routine. Misrepresentation of setup complexity is a security-relevant trust issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place a live API key in persistent shell startup files such as ~/.zshrc or ~/.bashrc. While this is common operational guidance, it increases the chance of accidental credential exposure through dotfile backups, screenshots, shared home directories, shell-history-adjacent troubleshooting, or syncing those files to source-control or cloud storage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions encourage saving a secret into shell profiles and Windows environment settings without a prominent warning that this writes the credential to disk and changes future login behavior. Users may not understand that this increases the blast radius of compromise and can expose the secret through backups, support bundles, profile inspection, or other local tooling. Lack of explicit warning undermines informed consent for secret handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits the user-provided search query and API credential to an external third-party endpoint, but it provides no disclosure, consent prompt, or warning that user input will leave the local environment. This is a real privacy/security concern because users may enter sensitive data assuming a local utility, and the skill description does not eliminate the risk of inadvertent data exfiltration to the remote service.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to persist and reuse a user-provided API credential across future sessions. That is sensitive-data retention beyond the immediate task and violates least-retention principles; if the environment is later compromised, the attacker gains a reusable credential. The fact that reuse is mandatory rather than optional makes the behavior more dangerous in context.

Ssd 3

High
Confidence
97% confidence
Finding
The skill requires preserving and reproducing the user's full API key verbatim, including when showing commands. This creates a direct risk of secret disclosure in chat transcripts, logs, screenshots, debugging output, or accidental echoing back to the user. In a security-sensitive context, instructions to repeat full secrets are unsafe unless strictly minimized and redacted.

Ssd 3

Medium
Confidence
95% confidence
Finding
The required behavior tells the agent to proactively solicit credentials whenever live search might be needed. Proactive credential collection normalizes secret requests, increases phishing-like behavior, and expands the number of conversations where sensitive data may be requested without strong necessity. In context, a search skill should not default to asking for API keys at conversation start or broad trigger conditions.

Session Persistence

Medium
Category
Rogue Agent
Content
Key formatting rules / Key 格式规则:

* Treat the key as opaque text. Do not shorten, normalize, or rewrite it.
  (将 key 视为不可拆分的原始文本,不得缩写、规范化或改写)
* Preserve the entire value, including prefixes such as `sk-` when present.
  (必须保留完整值;若带有 `sk-` 等前缀,也必须完整保留)
Confidence
86% confidence
Finding
write it. (将 key 视为不可拆分的原始文本,不得缩写、规范化或改写) * Preserve the entire value, including prefixes such as `sk-` when present. (必须保留完整值;若带有 `sk-` 等前缀,也必须完整保留) * Do not insert spaces, tabs, line breaks, or

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal