ClawHub
Back to skill

Security audit

Chanai Search Workflow

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent public web search workflow, but it includes under-scoped shell-based fetching and search examples that can help find exposed credentials or admin pages.

Review before installing. Use it only for non-sensitive public web searches, do not paste secrets, private identifiers, or confidential business terms into queries, and avoid the admin/password/cache examples. Treat any suggestion to use exec plus curl as requiring explicit user approval and strict URL/input validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to execute Python scripts that perform external web search, which implies network-capable behavior, yet the skill declares no corresponding permissions or trust boundary. That mismatch is dangerous because it can cause hidden capability escalation: users or hosting systems may treat the skill as low-risk documentation while it actually triggers outbound access and external data retrieval.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This guide is scoped as an external public-web search workflow, but these sections expand into unrelated utility capabilities such as password generation, Base64 operations, UUID generation, QR code generation, color conversion, and computational queries. Scope creep matters in agent skills because it broadens what the agent may be induced to do beyond user-expected search behavior, increasing misuse potential and reducing policy clarity.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The examples `inurl:login admin`, `intext:password filetype:txt`, and cache-based retrieval of deleted content teach reconnaissance patterns commonly used to locate sensitive interfaces, exposed secrets, or previously removed material. In a general-purpose search skill, this is dangerous because it operationalizes intrusive discovery techniques that go beyond ordinary public information retrieval and can facilitate unauthorized access attempts or sensitive data harvesting.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Recommending Tor and onion services introduces anonymity tooling that is not necessary for a standard search workflow and can meaningfully increase abuse potential by obscuring attribution. While privacy guidance can be legitimate, in this context it extends the skill from search assistance into evasion-oriented operational advice.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase making this the default workflow for external/public-web search is broad enough to trigger the skill for many loosely related queries, increasing the chance of unintended web access or use of external sources when the user did not clearly ask for that. In an agent setting, overbroad routing can leak prompts or queries to third-party services, override safer internal tools, and expand the attack surface for prompt-injection from web content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance explicitly recommends falling back to `exec + curl` to fetch public search pages, which expands the agent's behavior from controlled search tools to arbitrary shell-based network access. In an agent skill, this is dangerous because it can bypass normal tool guardrails, enable unreviewed outbound requests, and create a path for command construction around user-influenced queries without any safety conditions or user disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section operationalizes `exec + curl` as a prescribed response when `web_fetch` is blocked, effectively telling the agent to circumvent a safer tool's failure by switching to lower-level execution. That makes the skill context more dangerous, because the skill is specifically about external web retrieval and fallback behavior, so this guidance is likely to be exercised in normal operation rather than remaining theoretical.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Including `exec + curl` inside a standard fallback template normalizes shell-based scraping for common user tasks like flights, hotels, and local information. This broadens exposure because such tasks often involve highly variable user-supplied queries and third-party sites, increasing the chance of unsafe command composition, policy bypass, or direct access to untrusted content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown includes many `web_fetch` examples that directly send search terms to third-party engines such as Google, Scholar, DuckDuckGo, Brave, and WolframAlpha, but does not warn that user queries may be transmitted to external providers with their own logging and tracking practices. In an agent context, omission of this privacy disclosure can cause unintended sharing of sensitive user intent or data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly documents parameters for disabling safe search and family filters without warning about the resulting exposure to explicit, unsafe, or otherwise policy-sensitive content. In an agent-operated workflow, this can lead to accidental retrieval of harmful material or content outside user expectations and organizational policy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal