ClawHub

Unified Search Suite

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real search and extraction tool, but it needs review because it can silently use local GitHub credentials and send queries, snippets, URLs, and documents to several external services.

Install only if you are comfortable with a search skill that sends data to multiple external providers. Avoid using it with confidential queries, internal or signed URLs, private documents, or sensitive GitHub repositories unless the publisher adds clear controls for provider selection, translation opt-in, credential use, URL restrictions, and cache cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (23)

Tainted flow: 'key' from requests.post (line 967, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if key in _TRANSLATION_CACHE:
        return _TRANSLATION_CACHE[key]
    try:
        r = requests.get(
            "https://translate.googleapis.com/translate_a/single",
            params={
                "client": "gtx",
Confidence
87% confidence
Finding
r = requests.get( "https://translate.googleapis.com/translate_a/single", params={ "client": "gtx", "sl": "auto", "tl": "

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script goes beyond simple URL fetching by automatically discovering GitHub credentials from environment variables and ~/.git-credentials. That expands its privilege scope and can silently attach authentication to outbound requests, exposing private repository metadata access and violating least-privilege expectations for a content-fetching utility.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest describes search and research features, but this file also performs automatic machine translation through Google Translate. Undisclosed secondary processing of user/query-derived content is dangerous because operators and users may not realize their data is being sent to an extra third party, undermining privacy expectations and governance controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code adds a translation capability that is not necessary for the stated search purpose and routes content to Google Translate. This broadens the skill's data-sharing scope beyond search/retrieval, creating avoidable privacy and policy risk if sensitive queries or extracted content are translated automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill routes user queries to multiple third-party services and defaults to a deep multi-provider mode, but the documentation does not clearly warn that prompts, URLs, and fetched content will be transmitted externally. Users may submit proprietary, regulated, or personal data assuming a local search wrapper, resulting in unintended disclosure to several vendors at once.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The content-extraction and MinerU flows accept arbitrary URLs and document/file sources without warning that the referenced content may be fetched by external systems or processed by third-party APIs. This is risky because users could pass sensitive internal links, private documents, signed URLs, or access-controlled resources and unintentionally expose their contents or metadata.

Missing User Warnings

Low
Confidence
94% confidence
Finding
This script performs a server-side fetch of a fully user-controlled URL with `requests.get(args.url, ...)` and no scheme/host restrictions, disclosure, or safety checks. In an agent skill context, that can enable server-side request forgery behavior against internal services, cloud metadata endpoints, or other non-user-visible network targets, and the fetched content is then processed and returned to the caller.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends queries containing CJK characters to translate.googleapis.com automatically, which can disclose potentially sensitive user input to a third-party service without explicit notice or consent. In a search skill, users may paste internal project names, incident details, credentials by mistake, or other confidential terms, making silent exfiltration to an external provider a real privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The code not only translates some non-English queries automatically but also uses the translated English text as an additional query variant, changing user intent and broadening external disclosure without consent. This can expose private terms twice—original and translated—and may route searches based on a machine-translated interpretation that the user did not authorize, increasing privacy, compliance, and accuracy risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to send a user-supplied URL to the external MinerU API as a fallback, but it does not require notifying the user or obtaining consent before transmitting that potentially sensitive URL to a third party. URLs can contain private document locations, access tokens, internal hostnames, or other sensitive query parameters, so silent transmission creates a real privacy and data-handling risk even if the feature is operationally useful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation describes sending user-supplied URLs to the external MinerU API and storing downloaded results under a local workspace path, but it does not clearly warn the operator that third-party transmission and local persistence will occur. This creates a real privacy and data-handling risk because users may submit sensitive URLs or documents without informed consent, especially in a search/extraction skill where external fetching is not always obvious.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a user-supplied source URL and processing parameters to the external MinerU service, which means referenced documents or pages may be disclosed to a third party. In a search/extraction skill this may be intentional functionality, but the lack of an explicit warning or consent gate creates a real privacy and data-handling risk, especially if users pass internal, signed, or otherwise sensitive URLs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends user-supplied document URLs to a third-party extraction API, downloads the resulting archive, and persists extracted content and metadata under a workspace cache. In an agent-skill context, this can expose sensitive URLs, document contents, and derived markdown to external services and local disk without a strong user-facing consent boundary, increasing privacy and data-handling risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill advertises itself as the default for 'ALL search/lookup needs' and says to use it for 'ANY query that requires web search,' which is overly broad routing guidance. In an agentic system, this can cause unnecessary invocation of multi-provider search and synthesis flows for ordinary requests, increasing data exposure to external services and making tool selection easier to hijack or over-trigger.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The document title and operating protocol are written as a Chinese-first execution spec ('意图感知多源检索协议') without an explicit requirement to honor the user's language. While not a direct code-execution flaw, forcing a language can degrade transparency, cause misinterpretation of instructions/results, and make it harder for users to verify what is being sent to external providers.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The guide explicitly requires Chinese technical queries to also be searched in English, but it does not mention user consent, configurability, or data-minimization boundaries. This can expose user-entered terms to additional third-party search providers and may violate user expectations, especially when queries contain sensitive business, personal, or unreleased technical information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script fetches arbitrary remote pages, extracts body text and comments, and sends portions of that content to an external LLM via relevance_gate._call_llm / score_candidates without any user-visible disclosure or consent mechanism. In a search/deep-research skill, fetched pages may contain sensitive, private, or access-controlled material surfaced from seed URLs, so silent third-party transmission creates a real data-exposure risk even if it is part of the intended feature set.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Reading ~/.git-credentials without explicit user disclosure is sensitive because it accesses stored secrets unrelated to the immediate fetch request. In an agent skill context, this can surprise users and cause authenticated requests to be made on their behalf, potentially exposing private data or broadening access without consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the user's query, accumulated knowledge state, and candidate link text to an external LLM endpoint loaded from credentials or environment variables, but there is no in-code consent gate, warning, or data minimization before transmission. In a search/deep-research skill, these fields can contain sensitive user intent, proprietary notes, or copied page snippets, so silent exfiltration to a third-party model provider creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Search-derived text is transmitted to translate.googleapis.com without any warning, consent flow, or obvious user control. In a search skill, users may reasonably expect queries to go to search engines, but not that result content and generated answers will be forwarded to a separate translation service, making this a real privacy issue.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill hard-codes Simplified Chinese summary generation prompts, forcing a specific output language regardless of user preference or locale. This is primarily a security/privacy design issue because it can trigger unexpected external translation and mis-handle user data flows without informed choice, though the direct exploitability is limited.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Automatic translation is forced to zh-CN and performed through an external Google endpoint without user opt-in. That combines unnecessary third-party transmission with lack of language-choice controls, making the behavior more risky than a purely local formatting decision.

Ssd 1

Medium
Confidence
96% confidence
Finding
Untrusted anchor text, context, and URLs are interpolated directly into a single natural-language prompt, so malicious web content can instruct the model to ignore scoring rules, emit malformed JSON, or bias scores toward attacker-controlled links. In this skill's research workflow, that can steer automated link-following and source selection, degrading integrity of the search chain and potentially causing the system to prioritize adversarial or irrelevant destinations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal