Back to skill

Security audit

Openclaw Smart Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multi-engine search skill, but it includes unsafe credential setup and display paths that users should review before installing.

Review or remove quick-config.sh before use, supply your own provider API keys, avoid key:get/status in shared terminals or logs, and treat every search query or crawl target as data sent to third-party providers. Protect OPENCLAW_MASTER_KEY like a password and prefer a secret manager or tightly permissioned file over plaintext .env or shell-profile storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions while the documentation clearly indicates use of environment variables and shell-capable tooling (`node`, `mcporter`, `npm`, and CLI commands). This creates a transparency and governance problem: users and tooling may underestimate what the skill can access or execute, increasing the chance of unsafe deployment in permissive environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is 'search', but the documented behavior expands into secret management, `.env` modification, config mutation, diagnostics, publishing, and logging. This broader operational scope materially increases attack surface and trust requirements, because a user enabling a search skill may unintentionally grant a credential- and system-touching tool much more authority than expected.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `get` command retrieves an engine API key and prints it directly to stdout with `console.log(key)`. This can expose secrets to terminal history, logs, CI output, shell captures, and any parent process invoking the script, creating a straightforward credential disclosure path.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The setup wizard generates a new master key and writes it to a local .env file, which extends the skill from search functionality into local secret creation and persistence. Storing a long-lived decryption/encryption secret in a plaintext environment file increases exposure through accidental commits, backups, shell history/workspace leakage, or permissive filesystem permissions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The `get` CLI command retrieves an engine API key and prints the full secret to stdout. This creates a direct secret-disclosure path: keys can be exposed in terminal history, shell logs, process capture, CI logs, screen recordings, or remote support sessions, enabling unauthorized use of paid search providers and possible downstream account abuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `status` command reveals partial API key material by printing a prefix and suffix of each secret. Even partial disclosure aids fingerprinting, correlation across systems, and verification of guessed or leaked keys, and it provides secret-inspection capability unrelated to normal search execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds five live-looking third-party API credentials directly in source and automatically installs them into the skill configuration. Hardcoded secrets in a distributed skill are inherently dangerous because anyone with repository or package access can extract, abuse, rotate around attribution, or incur costs against those provider accounts.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments claim this is a normal default configuration flow, but the implementation silently injects explicit provider secrets. That mismatch is security-relevant because it misleads operators about what the script does, reducing scrutiny and increasing the chance they will execute code that provisions hidden credentials.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script automatically sources a project-local .env file and exports every variable into the child process environment before invoking Node. In a skill context, this broadens the script's access to secrets and runtime configuration beyond the minimum needed for a search wrapper, and if the .env file is attacker-controlled or overly permissive it can influence downstream behavior or expose credentials to dependencies and subprocesses.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script generates a master encryption key, stores it in the current process environment, and then prints a shell export command containing the full key for the user to persist. Exposing a root secret in terminal output and encouraging long-term storage in shell init files broadens access to any encrypted secrets protected by that key and exceeds the narrow scope of configuring a single search provider.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The code places the Bailian API key into the child process environment, which broadens exposure beyond the current process. Even though this is likely done for legitimate integration reasons, environment-based secret passing can leak credentials through subprocess inspection, inherited environments, crash reports, or unintended behavior inside the external `mcporter` tool, making the trust boundary larger than a normal search adapter.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file embeds a full secret-management CLI into a search skill, including initialization from environment variables, listing, status inspection, retrieval, and rotation of API keys. While likely added for operational convenience rather than malice, it materially expands the skill's authority beyond search and creates extra pathways for secret exposure through command misuse, logs, terminal history, or accidental invocation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code includes functions that reveal secrets directly: getEngineKey returns the raw API key, and showStatus prints key previews to stdout. In this skill context, exposing provider credentials is not necessary for performing search and increases the chance of credential theft, shoulder surfing, CI log leakage, or capture by surrounding tooling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The router explicitly detects scraping/crawling intents and prioritizes Firecrawl, which expands behavior from search aggregation into web content extraction. In an agent skill, that capability broadening matters because user prompts that appear to request search can trigger site scraping or markdown extraction against arbitrary URLs, increasing data-access and policy risk beyond the stated search-only scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document tells users to run search and web-crawl commands that will send prompts, URLs, and possibly sensitive research queries to external providers, but it does not warn about third-party data transmission, retention, or provider-specific privacy implications. In a skill that aggregates multiple search engines and a crawler, that omission is security-relevant because users may unknowingly expose confidential inputs to several services at once.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Printing a retrieved secret without warning or safeguards materially increases the chance of accidental disclosure. In the context of a multi-engine search skill, leaked API keys could let an attacker consume paid quotas, impersonate the service, and potentially access provider-linked data or telemetry.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects a sensitive API key, stores it, and also prints guidance that embeds the generated master key directly into shell startup files. It further reveals part of the API key in console output and uses a temporary in-process master key if none is set, which can lead to insecure secret handling, accidental disclosure via terminal logs, shell history, screenshots, or persistent plaintext exposure in profile files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
API keys are collected with readline.question, so the entered secret will be echoed visibly in the terminal. This can expose credentials to shoulder surfing, screen recording, terminal logging, or shared-session capture, which is especially sensitive in a setup workflow dedicated to credential entry.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Printing full API keys to stdout without any warning or safeguard materially increases the likelihood of accidental exposure. In practice, operators may run this command in terminals with logging, copy/paste buffers, shared shells, or automated tooling, causing silent credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The router logs the raw user query and derived analysis fields directly to console, which can expose sensitive search terms, personal data, API-related content, or confidential research topics to logs and downstream log processors. In a search skill, queries are inherently user-supplied and often privacy-sensitive, so indiscriminate debug logging creates a real information disclosure risk even if no attacker is actively exploiting it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This debug block again emits full query contents, lowercased query text, and matched keywords during engine selection, increasing the exposure surface for sensitive user input. Because this skill centrally routes all searches across multiple engines, the skill context makes the issue more dangerous: a single logging point can capture every user request, including private, regulated, or proprietary queries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The `get` command prints the raw API key directly to stdout, which can expose credentials through terminal history, shell logging, CI logs, remote session recording, or accidental copy/paste disclosure. Because this skill integrates multiple paid external providers, leaked keys could allow unauthorized API usage, billing abuse, and loss of control over upstream accounts.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script generates a master key and writes it in plaintext to a local .env file without warning, permission hardening, or guidance on safe handling. In shared systems, backups, shell history, accidental commits, or broad file permissions can expose that secret and compromise whatever encryption or secret-management scheme depends on it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This portion of the script provisions multiple API credentials into the local configuration with no explicit consent, warning, or storage transparency. That is dangerous because it normalizes opaque credential handling and can leave sensitive tokens persisted on disk or in config artifacts where users may later leak them unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script generates a master key and writes it directly into a plaintext .env file without warning, confirmation, or permission hardening. While common in developer tooling, this can expose a high-value secret through accidental commit, overly broad file permissions, backups, or local compromise, especially because this key appears to protect other stored secrets.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/engines/bailian.js:11

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/doctor.ts:46

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup-bailian.ts:40

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/engines/bailian.ts:10

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
CONFIG_AND_TEST.md:64