ClawHub

Dataify Bing Images

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned Bing image search helper that uses a Dataify API token and outbound requests, with disclosure gaps but no evidence of hidden or destructive behavior.

Install only if you intend to use Dataify/Bing image search and are comfortable providing DATAIFY_API_TOKEN for that purpose. Prefer a scoped/revocable token, review queries before confirming live calls, and treat the missing manifest permissions as a documentation issue the publisher should correct.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read an environment variable (`DATAIFY_API_TOKEN`) and make live network requests via `scripts/bing_images.py`, but no corresponding permissions are declared in the manifest. This creates a capability/permission mismatch that can mislead users and enforcement layers about what the skill can access, increasing the risk of unauthorized secret use and outbound data transfer.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description, 'When users want to use Bing for image search, they can use this skill,' is broad and could cause the skill to activate for many generic image-search requests. Overly broad activation increases the chance the skill is invoked unexpectedly, which matters more here because the skill can access environment secrets and perform network calls after confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal