Back to skill

Security audit

multi-search-engine-refined

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only search helper for named public search engines, with the main risk being that search terms are sent to those providers.

Install only if you are comfortable sending search terms to Google, DuckDuckGo, Brave Search, or WolframAlpha. Avoid searching for secrets, credentials, private customer data, confidential project names, or other sensitive identifiers through this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document includes ready-to-use web_fetch examples that send arbitrary search terms directly to third-party search engines, but it does not warn users that their queries will be transmitted off-platform. In a search skill, this can expose sensitive prompts, internal identifiers, or user-provided data to external services and associated logging systems, especially when examples encourage direct copy/paste use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.