ClawHub

curl-search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward curl-based web search skill, with privacy and robustness caveats but no evidence of hidden, destructive, persistent, or credential-stealing behavior.

Install only if you are comfortable with your search terms being sent to public search engines. Do not search for secrets, private customer data, proprietary code, or credentials with this skill; consider setting SEARCH_ENGINE to google, bing, or duckduckgo to avoid the default HTTP Baidu path. Also note that the sanitizer appears fragile and may cause the script to fail on some systems, so treat the advertised injection-protection claims as imperfect rather than a security guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly depends on curl and describes web searching via shell commands, which implies both network access and shell execution, yet it declares no corresponding permissions. This creates a transparency and policy gap: users or hosting systems cannot accurately assess or constrain what the skill is allowed to do, increasing the chance of unintended outbound requests or shell-based abuse.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The encode_url helper interpolates user-controlled input directly into a Python one-liner inside double quotes. Because shell expansion occurs before Python runs, an input containing characters such as single quotes and shell substitution syntax can break out of the intended Python string and trigger shell command execution, contradicting the script’s claimed injection protections. In an agent skill context, this is especially dangerous because the query is naturally user-supplied and likely to be treated as low risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description triggers on broad phrases like 'search', 'look up', or 'query something online', which can cause the skill to run in situations the user did not specifically intend. Because this skill performs network requests to third-party engines, over-broad invocation increases the risk of accidental data disclosure and unexpected outbound traffic.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Although the skill says it uses public search engines, it does not clearly warn users at the point of description/usage that their query text will be transmitted to third-party services over the network. This is especially relevant because search queries may contain sensitive, proprietary, or personal information, and the broad activation behavior makes accidental disclosure more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends user queries to third-party search engines over the network without any explicit notice, consent flow, or privacy guidance. Search terms may contain sensitive internal, personal, or security-relevant information, and in an agent setting users may not realize their prompts are being exfiltrated to external services. The skill context increases risk because it is designed specifically to forward free-form user input off-host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal