Ceramic Search

Security checks across malware telemetry and agentic risk

Overview

This is a real Ceramic web-search skill, but it asks users to force all web search through it and sends queries to external services with limited privacy guidance.

Install only if you are comfortable sending search queries and a Ceramic API key to Ceramic-operated services. Avoid using it for secrets, confidential business data, or sensitive personal information unless that external data flow is approved. Treat the README steps that force all web searches through this plugin and disable other search tools as an optional administrative policy, not a required safe default.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill clearly requires environment access to read CERAMIC_API_KEY and network access to send queries to api.ceramic.ai, yet the skill text does not declare explicit permissions beyond metadata requirements. This mismatch weakens review and policy enforcement because an agent may invoke code-capable behavior without a clear permission contract, increasing the chance of unintended secret use or outbound requests.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases are broad and generic, including terms like "latest," "recent," and "find online," which can match many ordinary prompts and cause the skill to run unexpectedly. In this skill, unintended invocation matters because activation leads to external network calls and use of an API-backed search service, potentially sending user queries off-platform without clear necessity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that natural-language queries are rewritten via an internal LLM call and then sent to the Ceramic Search API, but it does not warn users that their prompts may be transmitted to third-party services. This can expose sensitive user queries, internal data, or regulated information if an operator assumes search is local or privacy-preserving.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The tool sends user-supplied search queries, and LLM-rewritten variants of those queries, to external services (`api.runtime.llm.complete` and `https://api.ceramic.ai/search`) without any user-facing disclosure, consent check, or minimization in this file. In a web-search skill this transmission is expected for functionality, but it is still a real privacy/security concern because sensitive prompts or embedded secrets could be exfiltrated to third parties.

External Transmission

Medium

Category: Data Exfiltration
Content: const maxDescriptionLength = params.maxDescriptionLength ?? 3e3; const responses = await Promise.all( keywordQueries.map(async (kq) => { const res = await fetch("https://api.ceramic.ai/search", { method: "POST", headers: { Authorization: `Bearer ${apiKey}`,
Confidence: 90% confidence
Finding: fetch("https://api.ceramic.ai/search", { method: "POST"

External Transmission

Medium

Category: Data Exfiltration
Content: const maxDescriptionLength = params.maxDescriptionLength ?? 3e3; const responses = await Promise.all( keywordQueries.map(async (kq) => { const res = await fetch("https://api.ceramic.ai/search", { method: "POST", headers: { Authorization: `Bearer ${apiKey}`,
Confidence: 90% confidence
Finding: https://api.ceramic.ai/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal