Dataify Google Search

Security checks across malware telemetry and agentic risk

Overview

No concrete malicious behavior was verified; the available signals point to a broad trigger and normal external-service caution rather than hidden or harmful behavior.

Before installing, confirm you are comfortable with the skill making external search/API requests and handling any required provider token. Use scoped or revocable credentials, avoid sending sensitive queries unless needed, and watch for unintended activation on generic search prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is overly broad and can activate on generic requests like web search or SERP crawling, causing the skill to run in situations the user may not have intended. In a skill that performs external API calls and may handle tokens, ambiguous triggering increases the chance of unintended data transmission or unnecessary invocation of networked actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal