ClawHub

Everything Cli Search

Security checks across malware telemetry and agentic risk

Overview

This file-search skill is mostly coherent, but it includes an unsafe shell wrapper and under-warned examples that could execute commands, delete files, or expose indexed files if followed carelessly.

Review before installing. Prefer direct es.exe or the Python wrapper over scripts/es_search.sh until eval is removed, do not enable HTTP or ETP/FTP servers except on trusted networks with strong access controls, configure exclusions for sensitive folders, and treat deletion, service, admin, and reindex examples as manual actions requiring explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill is framed as a local search helper, but it also documents commands that modify system state, manage services, rebuild databases, edit file lists, and close or exit the application without any safety guidance or scoping. In an agent context, broad command examples like install, uninstall, service control, and reindex increase the chance that an LLM or user treats destructive or administrative actions as in-scope for ordinary search tasks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document includes HTTP and ETP/FTP server setup and remote connection features even though the skill is described as a local file search tool. In a skill consumed by an autonomous agent, these capabilities materially expand the attack surface by enabling network exposure of indexed files and remote access workflows that are not justified by the stated purpose.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The PowerShell example retrieves paths from search output and deletes them with Remove-Item -Force without any warning, validation, preview, or confirmation step. In a skill/example context, users may copy-paste this directly, and a broad or mistaken query could cause unintended mass deletion of files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises HTTP and ETP server support as a feature and references remote access without warning that enabling these services can expose file names, metadata, and search capability over the network. In a file-search skill, this is security-relevant because users may enable remote access on trusted desktops without understanding authentication, binding, firewall, or privacy implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tip encouraging users to use the HTTP server for phone access directly promotes remote exposure of the local search interface without any caution about network reachability, authentication, or information disclosure. This makes the issue more dangerous because it is actionable guidance that could cause a user to expose sensitive file inventory data to others on the LAN or beyond if misconfigured.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown instructs users to enable HTTP and ETP/FTP servers and provides connection examples, but it does not warn that doing so may expose file names, metadata, and potentially file access to other devices or network users. Because Everything indexes broad portions of a system, enabling these services without privacy and exposure warnings can lead to unintended data disclosure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script builds a shell command string from user-controlled inputs such as QUERY, PATH, and sort fields, then executes it with eval. Because eval causes the shell to re-parse metacharacters and command substitutions, an attacker can inject arbitrary shell commands through those arguments, leading to command execution in the context of the user running the script.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal