ClawHub

Openclaw Search

Security checks across malware telemetry and agentic risk

Overview

This search skill sends queries and URLs to AIsa as advertised and shows no hidden install, persistence, or destructive behavior.

Before installing, confirm you trust AIsa and are comfortable sending search terms, target URLs, and related research context to its API. Avoid using it for secrets, confidential internal documents, or proprietary topics unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description is broad enough to match many generic research, synthesis, competitor, and trend-discovery requests, which can cause the skill to be invoked more often than intended. Over-broad routing increases the chance that user prompts and sensitive context are unnecessarily sent to an external search provider, especially because this skill uses network access and an API-backed service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage guidance lists positive examples but lacks strong trigger boundaries and negative examples, making accidental over-invocation more likely. Because the skill relies on external API access, unclear guidance can lead to unnecessary transmission of user queries or context to third-party services, creating privacy and policy compliance risks.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The client forwards user-supplied queries and URLs to a third-party API without any explicit disclosure, confirmation, or data-handling warning in the CLI flow. In a research/search skill, inputs may contain sensitive internal topics, URLs, or proprietary targets, so silent transmission can create privacy and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal