Back to skill

Security audit

Multi Source Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed external search/research client that sends user queries, prompts, and URLs to AIsa-backed services using an AISA API key.

Install only if you are comfortable sending search terms, research prompts, optional system instructions, and supplied URLs to AIsa and its downstream providers. Avoid secrets, private/internal URLs, regulated data, or proprietary research context unless that external processing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest declares required binaries and environment variables but does not explicitly declare permissions while clearly documenting network access and use of a secret API key. This can weaken least-privilege controls and informed consent because a harness or user may not realize the skill will transmit prompts, URLs, and retrieved content to an external service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented as a multi-source verification engine, but the documented behavior also enables standalone answer generation, deep research, crawling, extraction, and site mapping. This broader capability surface increases the chance that users or orchestrators invoke higher-risk actions than expected, causing unintended data disclosure or broader external interaction.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The manifest frames the skill as verification-oriented retrieval, but the documented APIs include extraction, crawl, and mapping features that can pull and traverse arbitrary external content. That mismatch matters because operators may approve a low-risk search tool while actually enabling a broader web interaction capability.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation positions the skill as a validation lane, yet examples encourage standalone deep research report generation through external LLM-backed endpoints. This can mislead users about where their prompts are sent and about the skill's actual function, expanding privacy and governance risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill manifest describes multi-source search and retrieval, but the code also exposes crawling and site-mapping operations. That scope expansion can collect substantially more third-party content than users may expect, increasing data exfiltration, scraping, and misuse risk beyond a search-only tool.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The Perplexity-backed methods accept arbitrary system instructions and forward them directly to the remote model endpoint. In a search-focused skill, this permits repurposing the tool into a more general remote LLM interface, which can bypass intended capability boundaries and weaken prompt-safety assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation repeatedly shows sending user queries, messages, and arbitrary URLs to external APIs, but it does not provide a clear warning about third-party disclosure, retention, or handling of sensitive data. In practice, users may paste confidential research topics, internal URLs, or proprietary text into requests believing this is only local tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
These call sites transmit user-supplied queries and possibly sensitive research prompts to external APIs without any disclosure, consent, or minimization controls in the tool itself. In agent settings, users may not realize their input is leaving the local environment and being processed by third parties.

External Transmission

Medium
Category
Data Exfiltration
Content
### Sonar

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "sonar", "messages": [

External Transmission

Medium
Category
Data Exfiltration
Content
### Sonar

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
### Sonar Pro

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar-pro" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
85% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
### Sonar Reasoning Pro

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar-reasoning-pro" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
85% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
### Sonar Deep Research

```bash
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar-deep-research" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Content-Type: application/json" \
  -d '{"query":"latest AI developments"}'

curl -X POST "https://api.aisa.one/apis/v1/tavily/extract" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"urls":["https://example.com/article"]}'
Confidence
91% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Content-Type: application/json" \
  -d '{"urls":["https://example.com/article"]}'

curl -X POST "https://api.aisa.one/apis/v1/tavily/crawl" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com","max_depth":2}'
Confidence
92% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Content-Type: application/json" \
  -d '{"url":"https://example.com","max_depth":2}'

curl -X POST "https://api.aisa.one/apis/v1/tavily/map" \
  -H "Authorization: Bearer $AISA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'
Confidence
89% confidence
Finding
https://api.aisa.one/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.