ClawHub

perplexity-research-aisa

Security checks across malware telemetry and agentic risk

Overview

This research skill is not malicious, but it exposes broader multi-source search and remote URL extraction than its Sonar-focused description clearly discloses.

Install only if you are comfortable giving this skill an AISA API key and letting it send research queries and user-supplied URLs to api.aisa.one. Treat it as a broader multi-source web research client, not just a Perplexity Sonar wrapper, and avoid using it with confidential, internal, localhost, or private-network URLs unless the publisher documents stronger scoping and consent controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill requires an API key and invokes a Python client to reach external AISA/Perplexity services, which implies access to environment variables and network despite not declaring explicit permissions. This creates a transparency and governance gap: users or policy engines may approve the skill under incomplete assumptions, increasing the chance of unintended secret exposure or unauthorized outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is narrow, but the analyzed behavior indicates broader search, arbitrary URL extraction, parallel multi-source querying, and synthesis across non-Sonar sources. That mismatch is dangerous because it can conceal a larger data-access and exfiltration surface than users expect, enabling collection or transmission of content from arbitrary URLs under the guise of a simple research skill.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill metadata says it is for Perplexity Sonar deep research, but the script exposes broader web, scholar, Tavily, extraction, and custom synthesis capabilities. That scope mismatch increases the attack surface and can bypass user or platform expectations about what data sources and operations the skill is allowed to use.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The extract command sends arbitrary user-supplied URLs to a remote service for content retrieval and prints raw content locally. In an agent context, this can be abused to fetch internal or sensitive URLs through the external provider, creating SSRF-style data exposure or unauthorized retrieval beyond the stated research purpose.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal