ClawHub

SearchOnlineAssets

Security checks across malware telemetry and agentic risk

Overview

This skill is a dLazy-mediated Pixabay asset search helper with disclosed API-key use, though its docs should be clearer about dLazy versus Pixabay credentials and traffic.

Install only if you are comfortable using dLazy as the intermediary for Pixabay searches and storing or supplying a dLazy API key. Prefer the DLAZY_API_KEY environment variable if you do not want a persistent ~/.dlazy/config.json credential, and review the @dlazy/cli source/package before global installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a Pixabay search wrapper, but the documentation shows requests and credentials flow through dLazy infrastructure. This is a security-relevant disclosure mismatch because users may assume direct third-party access while actually entrusting queries and API keys to an additional service, affecting data handling, trust boundaries, and incident response.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The metadata lists dLazy-controlled API endpoints, while the narrative describes the tool as a lightweight wrapper over Pixabay and says returned asset URLs are hosted by Pixabay. This contradiction obscures the real execution path and may cause operators to misconfigure network policy, logging, or vendor risk reviews, which is dangerous in agent environments that rely on accurate skill provenance.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The error handling tells the agent to interpret a missing 'Pixabay API key' as a workspace credential issue, but the rest of the document says authentication uses a dLazy API key. Conflicting auth semantics can lead to incorrect troubleshooting, unsafe retry behavior, and disclosure of the wrong operational dependencies to users and administrators.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal