ClawHub

Youcom Search

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed you.com search and extraction integration whose external data sharing is expected for its purpose.

Install only if you are comfortable sending search terms, research prompts, and submitted URLs to you.com or ydc-index.io. Do not use it with secrets, private repositories, internal-only URLs, regulated data, or access-controlled content, and confirm before paid research or extraction calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied URLs and request metadata to a third-party service (`ydc-index.io`) with no runtime disclosure, confirmation, or guardrails. In an agent setting, this can cause accidental exfiltration of sensitive/internal URLs or related content to an external provider, especially because the tool is designed for content extraction rather than clearly local processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the user-provided search query to you.com's external API, which creates a confidentiality risk if the caller includes sensitive, internal, or personal data in the query. The skill metadata warns against sending sensitive data, but the code itself provides no runtime notice, confirmation, or policy guard, so accidental disclosure remains plausible.

External Transmission

Medium
Category
Data Exfiltration
Content
"query": query,
        "num_results": min(num_results, 10),
    }
    url = "https://api.you.com/v1/agents/search?" + urllib.parse.urlencode(params)

    req = urllib.request.Request(
        url,
Confidence
91% confidence
Finding
https://api.you.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal