ClawHub

Unified Search - 统一智能搜索

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal search skill, but it needs review because it can execute an unbundled neighboring DuckDuckGo helper and its install/run scope is inconsistent.

Review before installing. Confirm the intended install folder, inspect or install only a trusted ddg-search helper before using English search, and treat all search terms as data sent to external providers. Do not paste secrets, private identifiers, or regulated data into searches, and avoid copying the shell-exec example with untrusted input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation instructs users to run Python scripts, install packages, and use browser automation, which implies shell, network, and environment capabilities, yet no permissions are declared. This creates a transparency and governance gap: an agent or user may invoke capabilities with broader access than expected, increasing the chance of unintended external requests or local command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared behavior says the skill routes Chinese queries to Baidu, English to DuckDuckGo, and crypto queries to CoinGecko, but the documentation also describes Bing fallback logic, standalone Baidu utilities, and Playwright-driven browser automation. This mismatch is dangerous because users and policy systems may approve the skill for a narrower purpose while it actually supports additional network destinations and more powerful interaction methods.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation advertises a Bing fallback even though the skill metadata says the supported engines are Baidu, DuckDuckGo, and CoinGecko. This mismatch can cause the agent or operator to send queries to an undocumented third-party service, creating unexpected data disclosure, policy bypass, and supply-chain risk because users may believe only the declared engines are used.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented search flow contradicts the stated design by routing failed Baidu searches to Bing instead of the manifest-declared DuckDuckGo behavior. In an agent setting, this inconsistency is dangerous because reviewers, users, and policy controls may authorize one data flow while the documentation encourages or normalizes another, undermining trust boundaries and network egress expectations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The example invokes a shell command that runs a local Python script with interpolated user input, which expands this skill from simple search into arbitrary local code execution. Even though the command targets a specific script, passing untrusted query data through shell command construction can enable command injection or unintended execution paths depending on how the exec wrapper and downstream script handle quoting.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises trigger phrases like ordinary conversation ('搜索…', '查一下…', '帮我找…'), which creates ambiguous activation boundaries and can cause the skill to intercept routine user requests unintentionally. In an agent environment, this broad invocation surface increases the chance of accidental tool use, unexpected network access, and privacy leakage from forwarding conversational text to external search providers.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README claims the skill can search essentially anything ('什么都能搜'), without defining limits on supported content, query classes, or safety boundaries. This overbroad framing can encourage the agent or user to treat the skill as universally appropriate, increasing the risk of misuse, inadvertent handling of sensitive queries, and unsafe delegation to external services.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill states that Chinese queries go to Baidu, English queries go to DuckDuckGo, and crypto queries go to CoinGecko as an automatic policy rather than a user choice. This can silently route user data to third-party services based on inferred language or topic, which creates privacy and consent risks and may produce surprising behavior if users expect to choose the search backend.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Trigger phrases such as '搜索[查询内容]' and similar generic search invocations are broad and overlap with normal conversation. In an agent environment, this can cause accidental activation on ordinary user text, leading to unintentional network requests, browser actions, or script execution without clear intent.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill presents mandatory language-based routing to specific search providers without offering user choice or consent. While not inherently malicious, it can send queries to external services the user did not intend to use, affecting privacy expectations, compliance needs, or regional trust boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User queries are sent to third-party services (CoinGecko, Baidu, and Bing) without explicit disclosure or consent handling in the script. In a search skill, this is contextually expected, but undisclosed outbound transmission can expose sensitive user inputs, especially if users search for personal, confidential, or regulated information.

External Transmission

Medium
Category
Data Exfiltration
Content
if 'eth' in query.lower() or '以太坊' in query:
            coin_id = 'ethereum'
        
        url = f"https://api.coingecko.com/api/v3/simple/price?ids={coin_id}&vs_currencies=usd,cny&include_24hr_change=true&include_market_cap=true"
        response = requests.get(url, timeout=10)
        data = response.json()
Confidence
91% confidence
Finding
https://api.coingecko.com/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal