ClawHub

search1api

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-search skill that uses a third-party CLI/API, with privacy cautions users should understand before use.

Install only if you are comfortable using Search1API as a third-party web access provider. Verify the npm CLI before global installation, use a dedicated API key where possible, monitor usage or credit costs, and do not send credentials, private/internal URLs, confidential documents, regulated data, or sensitive personal information through search, crawl, sitemap, or reasoning commands unless you intentionally accept that data transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger guidance is unusually broad and encourages invocation even when the user does not explicitly request web access, including on any bare URL and many common research-like phrases. In practice, this can cause unnecessary use of an external networked tool, expanding data exposure and increasing the chance that user-provided content is sent to a third-party service without clear need or consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to send shared URLs, queries, and page content to the `search1api` external service, but it does not warn about this data transfer or advise caution with sensitive information. This creates a privacy and data-handling risk because users may reasonably assume their input is processed locally or by first-party tooling when, in fact, it is disclosed to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal