ClawHub

Turing Tavily Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that sends user-provided search queries to a Turing Tavily proxy using configured Turing credentials.

Install this only if you trust the Turing Tavily proxy and the configured TURING_API_BASE. Do not include secrets, credentials, private documents, or confidential business details in search queries, and prefer a scoped Turing API key for this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly performs outbound web searches through an external proxy, yet the manifest shown in SKILL.md does not declare any explicit network permission or equivalent capability boundary. This weakens policy enforcement and user/admin awareness, making it easier for the skill to transmit user-provided data externally without transparent authorization controls.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description uses very broad trigger language such as 'search the web' and 'look up real-time information,' which can cause the skill to activate for many generic research requests without clear scoping or user confirmation. In a skill that sends queries to an external service, over-broad activation increases the chance that sensitive prompts, internal data, or unnecessary user context are disclosed to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explains parameters and usage but does not clearly warn that queries and filters are transmitted to the Turing Tavily proxy, an external network service. This lack of disclosure can mislead operators or users into sending sensitive search terms, proprietary topics, or personal data off-platform without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal