ClawHub

Meyhem Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that sends search requests to a disclosed external API and shows no hidden local access, persistence, or destructive behavior.

Install only if you are comfortable sending search terms, agent identifiers, and selected-result URLs to api.rhdxm.com. Avoid using it for secrets, private customer information, proprietary research, or sensitive personal data because the artifact does not provide retention or privacy guarantees for the third-party service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly performs network operations against a third-party service, but the manifest does not declare any permissions reflecting that capability. This creates a transparency and governance gap: users or hosting platforms may not realize queries and selected URLs are transmitted externally, increasing the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This skill sends the user's search query and agent identifier to a third-party remote API, but the CLI only exposes this indirectly through usage syntax and does not clearly disclose data transmission, retention, or trust boundaries. Queries may contain sensitive user data, and the optional content-selection flow also causes the chosen result URL and provider metadata to be sent back to the same service, increasing privacy exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
Full API docs: https://api.rhdxm.com/docs

```bash
curl -s -X POST https://api.rhdxm.com/search \
  -H 'Content-Type: application/json' \
  -d '{"query": "YOUR_QUERY", "agent_id": "my-agent", "max_results": 5, "freshness": "hour"}'
```
Confidence
88% confidence
Finding
curl -s -X POST https://api.rhdxm.com/search \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Full API docs: https://api.rhdxm.com/docs

```bash
curl -s -X POST https://api.rhdxm.com/search \
  -H 'Content-Type: application/json' \
  -d '{"query": "YOUR_QUERY", "agent_id": "my-agent", "max_results": 5, "freshness": "hour"}'
```
Confidence
88% confidence
Finding
https://api.rhdxm.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal