ClawHub
Back to skill

Security audit

Power Search

Security checks across malware telemetry and agentic risk

Overview

Power Search is a coherent web-search skill, but users should understand that searches leave the host and Browserless can make server-side page fetches.

Install only if you are comfortable sending search terms to Brave and, when using --fetch, sending result URLs and fetched page content through your configured Browserless service. Use a dedicated Brave API key, bind or firewall Browserless to trusted hosts, avoid sensitive or internal-only targets in shared Telegram chats, and stop the persistent container when it is not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates use of environment variables and network access, but the manifest does not declare corresponding permissions or data-handling expectations. This is dangerous because users and orchestrators may grant or execute the skill without understanding that it reads secrets like API keys and transmits queries and URLs externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill is presented primarily as a research/search tool, but the file also documents Telegram/OpenClaw command handling and chat response routing. This mismatch can cause operators to deploy it in more-trusted contexts than intended, increasing the chance of unintended remote invocation, data exposure in chat, or abuse through messaging integrations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes web search and full-page fetching through Brave Search API and Browserless but does not disclose that user queries, target URLs, and potentially fetched page content may be sent to external services or processed by separate infrastructure. This can mislead operators into using the skill with sensitive queries or internal URLs, creating privacy, confidentiality, and data-handling risk even if the behavior is expected for the feature set.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup and usage text does not clearly warn that user queries are sent to Brave Search and that fetched pages/URLs are processed by Browserless. This matters because users may submit sensitive terms, internal URLs, or proprietary research targets without realizing that external services will receive or process that data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When --fetch is enabled, the tool sends result URLs to a Browserless endpoint for remote page retrieval, which can expose user queries, browsing targets, and fetched content to another service. Although the default is localhost, the host and port are configurable via environment variables and there is no explicit user-facing disclosure or trust boundary warning before transmitting data off-process or potentially off-host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When users invoke `/search ... --fetch`, the handler automatically causes server-side network requests to third-party URLs returned by Brave and retrieves page content without any explicit disclosure, confirmation, or restriction. In a Telegram bot context, this creates an SSRF-style primitive and privacy risk because an untrusted chat user can induce the host running the skill to contact arbitrary destinations reachable from that host, including internal services if search results or redirects permit it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.