Back to skill

Security audit

Openclaw Multi Search Engine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a web-search guidance skill whose external search behavior matches its purpose, but users should avoid sending sensitive queries to third-party search engines.

Install if you want an agent to perform international web searches. Do not use it with secrets, private names, credentials, confidential project terms, or sensitive personal searches unless you are comfortable sending those queries to external search providers. Keep safe-search enabled unless you deliberately need otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to send arbitrary search queries to numerous third-party search engines via direct web requests, but it does not warn that all submitted terms will be transmitted to external services and may be logged, profiled, or exposed to jurisdiction-specific privacy practices. This is especially risky because search queries often contain sensitive research topics, internal project names, credentials pasted by mistake, or personal data, and the skill normalizes sending such data to 17 different providers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document repeatedly instructs use of web_fetch with third-party search URLs, which would transmit user queries, metadata, and potentially sensitive search terms to external providers. In an agent skill context, this is a real privacy and data-handling risk because users may not realize their prompts are being forwarded off-platform or logged by search engines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide includes examples for disabling safe search and viewing cached/deleted content without cautionary framing. In a reusable skill, these patterns can facilitate access to harmful, inappropriate, or privacy-sensitive material and normalize bypassing protective controls.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.