ClawHub

Dataify Bing Search

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide Bing search, but its reported behavior expands into authenticated third-party requests with an arbitrary URL override that could expose tokens and user data.

Review before installing. Only use this skill if you are comfortable with queries and optional location data going to the named third-party service, and do not configure sensitive API tokens unless the URL override is removed or strictly allowlisted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read an environment variable for authentication and make external network calls, but it does not declare those capabilities as permissions. That creates a transparency and governance gap: operators may invoke the skill without realizing it can access secrets and send data off-platform, increasing the risk of unintended token use or data exfiltration through an external service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a simple Bing search helper, but it actually routes requests through a third-party authenticated service, supports arbitrary request parameter injection, and even allows overriding the destination URL. This mismatch is dangerous because users and reviewers may consent to a benign web search while the skill can send prompts, tokens, and query data to unexpected endpoints, materially expanding the trust boundary and enabling SSRF-like or exfiltration scenarios via --url.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill permits `--url` to replace the hard-coded Dataify endpoint with any arbitrary destination, while still attaching the bearer token and user-supplied search/location data. In the context of a Bing-search skill, this expands scope from a fixed search integration into a generic authenticated HTTP exfiltration primitive.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Documenting arbitrary endpoint override as ordinary CLI behavior normalizes misuse and makes it more likely operators will invoke the skill against unintended destinations. In a skill whose stated purpose is Bing web search, this materially increases the chance of credential leakage and off-purpose data transmission.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation text is broad enough that the skill may trigger for generic search-related requests without the user understanding that an authenticated third-party API call will occur. In this context, unintended invocation is more dangerous because the skill performs external network actions and may use environment-held credentials, so a loose trigger can cause unnecessary data disclosure or unexpected external requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill forwards user queries, location, coordinates, market, and country data to an external third-party API without any explicit disclosure, consent check, or minimization. Because the parser infers geolocation-related fields from natural language, users may unknowingly send more sensitive contextual data than they intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal