ClawHub

360 Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward 360 Search helper, but users should understand that searches are sent to an external search site.

Install only if you are comfortable with search terms being sent to 360 Search through an automated browser. Do not use it for secrets, private customer data, credentials, or sensitive internal terms, and expect to install/trust Playwright and browser dependencies yourself because the package documentation is incomplete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The search method sends raw user queries to a third-party search engine, which exposes potentially sensitive user input to an external service without any built-in disclosure, consent, or privacy controls. In an agent/skill context, users may assume inputs stay within the local tool, so silent transmission can leak personal, proprietary, or regulated data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The news search function transmits user-supplied queries to an external endpoint without warning or consent handling, creating a privacy and data-governance risk. This is especially relevant in agent skills because user prompts may contain confidential context that gets forwarded verbatim to the third party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The image search method also forwards user queries to an external service with no disclosure, which can unintentionally expose sensitive search terms or internal information. Because this skill is specifically designed as a search client, the behavior is expected functionally, but it still represents a real privacy vulnerability when not clearly disclosed to the user.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README instructs users to perform web, news, and image searches through a third-party search engine but does not clearly disclose that user queries will be transmitted to an external service. This can expose sensitive prompts, internal terms, or user data if operators assume the skill is purely local, making the omission a real privacy and data-handling issue even though the functionality itself is expected for a search skill.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal