ClawHub

Meyhem Researcher

Security checks across malware telemetry and agentic risk

Overview

This is a remote research/search skill that clearly sends search topics and selected URLs to api.rhdxm.com, with no evidence of hidden local access, persistence, credential use, or destructive behavior.

Install only if you are comfortable sending research queries, agent identifiers, and selected result URLs to api.rhdxm.com. Avoid using it for confidential investigations, proprietary plans, customer data, secrets, or regulated personal information unless you trust that provider's data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents outbound network use but declares no corresponding permission metadata, creating a transparency and governance gap. This can cause users or host systems to misjudge the skill's data exposure surface, especially since user queries and selected URLs are transmitted to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the user-supplied research topic, derived queries, and agent identifier to a third-party service without an explicit privacy notice or consent step. Even though network use is central to the skill's purpose, topics may contain sensitive internal plans, personal data, or confidential research subjects, so silent transmission creates a real data-exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically performs a second outbound request that forwards the selected result URL and provider to the external API, which is an additional data-sharing action beyond the initial search. This follow-up request can reveal user browsing/research choices and trigger remote content retrieval without clear user awareness, increasing privacy and transparency risks.

External Transmission

Medium
Category
Data Exfiltration
Content
Full API docs: https://api.rhdxm.com/docs

```bash
curl -s -X POST https://api.rhdxm.com/search \
  -H 'Content-Type: application/json' \
  -d '{"query": "YOUR_QUERY", "agent_id": "my-researcher", "max_results": 10, "freshness": "hour"}'
```
Confidence
93% confidence
Finding
curl -s -X POST https://api.rhdxm.com/search \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Full API docs: https://api.rhdxm.com/docs

```bash
curl -s -X POST https://api.rhdxm.com/search \
  -H 'Content-Type: application/json' \
  -d '{"query": "YOUR_QUERY", "agent_id": "my-researcher", "max_results": 10, "freshness": "hour"}'
```
Confidence
93% confidence
Finding
https://api.rhdxm.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## MCP

You can also connect via MCP at `https://api.rhdxm.com/mcp/` for richer integration.

## Data Transparency
Confidence
84% confidence
Finding
https://api.rhdxm.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal