Back to skill

Security audit

Hot Search

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed web-search tool, but it also contains under-disclosed image-search and image-download code that can write remote content to local paths.

Review before installing. Use it only if you are comfortable with a scraping-style search skill that sends queries to external search engines. Avoid confidential search terms, verify financial results against original sources, and do not let agents call the image download methods unless the code is updated to require explicit approval, restrict writable paths, validate content, and pin dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and documents network-backed search behavior, but the metadata shown in SKILL.md does not declare corresponding permissions. In an agent ecosystem, missing permission declarations weaken user consent and policy enforcement because the skill can exercise network or MCP-like capabilities that are not transparently disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is a financial/market search skill, but the analyzed behavior reportedly includes broader web search, image search, remote image downloading, and local file writes. That mismatch is dangerous because users and policy engines may grant trust based on a narrow financial-search use case while the skill can retrieve arbitrary remote content and persist files locally, expanding the attack surface for data exfiltration, storage abuse, or unexpected content ingestion.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents this as a finance/market-data search skill, but the implementation includes image search and arbitrary image download to local disk. This expands the skill's capabilities beyond user expectations and creates unnecessary risk by enabling unadvertised network retrieval and file writes from external URLs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes multi-engine web search and emphasizes free, unlimited use, but it does not disclose that user queries are transmitted to third-party search engines and external data sources. In a finance-focused skill, queries may contain sensitive research interests, proprietary market questions, or other confidential business context, so the omission creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting section suggests tactics like using proxy IPs and rotating User-Agent values to deal with blocking, without any warning about terms-of-service violations, legal exposure, or account/network abuse risk. That guidance can facilitate evasive scraping behavior and misuse of third-party services, especially in a tool explicitly designed for repeated aggregated search requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill downloads attacker-controlled remote content and writes it to local disk without meaningful prior notice, approval, or safety checks. In an agent environment, silent file creation from arbitrary URLs can be abused for storage abuse, persistence of unwanted content, or planting misleading files in shared workspaces.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
97% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
97% confidence
Finding
lxml>=4.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
lxml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.