Local Websearch 1

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that sends search terms to a user-configured SearXNG server, with minor setup and routing cautions.

Install only if you trust the SearXNG instance configured in SEARXNG_URL, since your search terms will be sent there and may reach upstream search engines. Expect possible setup friction unless the command path is corrected or the package installer places the script under scripts/.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad enough to match many ordinary user requests such as 'look up', 'find information about', or even 'what is', which can cause the agent to invoke this skill more often than intended. Over-broad routing increases the chance of unnecessary external network calls and unintended disclosure of user queries to the configured SearXNG service, especially when requests could have been answered locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal