ClawHub

多引擎全自动搜索聚合器

Security checks across malware telemetry and agentic risk

Overview

This search skill is not clearly malicious, but it automatically runs other locally installed search-like skills with the user's privileges and sends fallback searches to Bing without enough control.

Install only if you trust the skills already present in the scanned OpenClaw skill directories and are comfortable with one search command launching them automatically. Avoid sensitive queries unless you can audit or restrict the discovered engines; a safer version would use an explicit allowlist, secure per-run temp files, and an option to disable external Bing fallback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        if stype == 'run':
            # 调用 run.py,传查询词
            result = subprocess.run(
                [sys.executable, path, query, '--json'],
                capture_output=True, text=True, timeout=20,
                encoding='utf-8', errors='replace'
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, path, query, '--json'], capture_output=True, text=True, timeout=20, encoding='utf-8', errors='repl

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
        else:
            # search.py 类型
            result = subprocess.run(
                [sys.executable, path, '--query', query, '--max-results', '8'],
                capture_output=True, text=True, timeout=20,
                encoding='utf-8', errors='replace'
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, path, '--query', query, '--max-results', '8'], capture_output=True, text=True, timeout=20, encodin

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill's advertised purpose is multi-engine search aggregation, but it broadens behavior by scanning local skill folders and executing every 'search-like' script it finds. In the skill context this is especially dangerous because the host may contain unreviewed or attacker-planted skills, turning a benign-seeming search helper into a launcher for arbitrary local code.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code performs direct external network access to Bing via curl despite no manifest or metadata showing that outbound transmission is expected or approved. While this is not code-execution severity, it can exfiltrate user queries and create undisclosed data-sharing/privacy risk, which is notable in an agent skill expected to operate transparently.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents that it scans local skill directories and executes discovered scripts via subprocess, but does not warn the user that arbitrary locally installed 'search' skills will be auto-selected and run. In this context, that omission is security-relevant because directory scanning plus automatic subprocess execution broadens the trust boundary to any matching local script, increasing the chance of unintended code execution or execution of a maliciously planted skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that the tool will automatically fall back to Bing via direct curl requests when no local results are found, but it does not disclose that user queries may be sent over the network to a third-party service. This omission can expose sensitive search terms or internal topics unexpectedly, making the behavior more dangerous in privacy-sensitive or offline-expected environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently invokes other local scripts without warning or confirmation, so a user requesting a search may unknowingly trigger execution of multiple third-party programs. In this context that hidden delegation increases danger because the user has no chance to assess trust boundaries or prevent risky child skill execution.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends the user's query to Bing directly without explicit disclosure that data will leave the local environment. For a search skill this may be functionally expected, but lack of notice and consent still creates a real privacy and policy-compliance issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal