ClawHub

smart-search-zh

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AISA-powered research search skill, but users should avoid sending private queries or internal URLs to its remote API.

Install only if you trust AISA with search queries, URLs, and any extracted page content you provide. Use a dedicated or rotatable AISA_API_KEY, monitor usage, and do not submit secrets, private documents, authenticated pages, localhost, or internal network URLs through this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares required environment variables and a Python runtime, and its described execution path implies outbound service use, yet it does not explicitly declare permissions for network and environment access. This weakens reviewability and least-privilege controls because operators may approve or invoke the skill without understanding that it can read secrets and make external requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description presents a simple hybrid search capability, but the observed behavior includes additional third-party service calls, URL content extraction, AI summarization, and confidence scoring. This mismatch is dangerous because users and reviewers may consent to a search tool without realizing it can fetch arbitrary page contents and transmit queries or extracted data to multiple external providers.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The extract command accepts arbitrary user-supplied URLs and sends them to a remote extraction service without any allowlisting, validation, or user-facing warning. In an agent setting, this can be abused to fetch sensitive internal endpoints or private resources through the third-party service, effectively expanding data-access scope beyond the stated smart-search purpose.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger condition is broad—essentially any request needing both web coverage and academic depth—which can cause the skill to activate in situations the user did not intend. Overbroad invocation increases the chance of unnecessary external data transmission and use of a more capable workflow than required.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The usage guidance repeats the same broad activation language without narrowing scope or adding safeguards, reinforcing a pattern of unintended invocation. In practice, this can expand data exposure and external calls across loosely related research tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User queries and user-supplied URLs are transmitted to external services, but the CLI provides no explicit notice, consent step, or data-handling warning. In agent workflows, users may include confidential prompts, document references, or internal URLs, causing unintended disclosure to a third-party API provider.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal