ClawHub

Google Search Unlimited V2

Security checks across malware telemetry and agentic risk

Overview

This search skill performs expected web-search actions, but it has material transparency and integrity concerns around mocked results, provider provenance, external query sharing, and local retention of raw searches.

Install only if you are comfortable with search terms being sent to external providers and stored locally. Treat outputs carefully until the publisher clearly separates live search from mock/test results, labels the actual provider for every result, and documents how to disable or purge caches and exported search data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises network access, environment variable use, local caching, and shell-based installation/usage patterns, but does not declare corresponding permissions. This creates a transparency and consent problem: users and hosting platforms may not realize the skill can send queries to external providers, read secrets from the environment, and write local cache files, which increases the risk of unintended data disclosure or unsafe execution assumptions.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill is presented as Google Search, but the implementation can return results from DuckDuckGo, cache entries from other providers, or mock Oxylabs data. This is dangerous because downstream agents or users may rely on provider-specific assumptions about provenance, accuracy, or policy compliance and make decisions on mislabeled search data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to use an OpenClaw Oxylabs tool but actually returns fabricated mock results. Returning synthetic data as if it were real search output can mislead users, poison agent reasoning, and cause unsafe automated decisions based on nonexistent evidence.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code advertises 'REAL OpenClaw integration' but actually returns fabricated mock results. This is dangerous because downstream agents or users may trust the output as real search data and make decisions based on false information, creating integrity and provenance risks. In an agent skill, misleading implementation claims increase risk because orchestration logic may assume external validation occurred when it did not.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages sending user queries to OpenClaw tools, Google, DuckDuckGo, Brave, and other providers, and it describes local caching, but it does not prominently warn users that their queries may leave the local environment and be stored on disk. Search terms often contain sensitive business, personal, or investigative data, so undisclosed third-party transmission and caching can expose confidential information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code writes both the original queries and full result data to a JSON file when an output path is provided, but gives no warning, redaction, or opt-in protection for potentially sensitive search terms or returned content. In a search skill, queries may contain confidential research topics, credentials-related text, incident terms, or personal data, so persisting them to disk can create unintended data exposure through local files, backups, logs, or later sharing.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The test script performs real search operations through `SearchEngine.search()` using user-visible queries, but it does not clearly warn that external network requests may be sent during testing. This can surprise operators, leak test queries to third-party providers, and create unintended outbound traffic or API usage, especially in automated or restricted environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User search queries are persisted in a local SQLite database by default, and search terms often contain sensitive internal data, credentials, incident details, or personal information. In an agent environment, silent retention increases the risk of privacy leakage, forensic recovery, or unintended cross-user data exposure if the workspace is shared.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Google API path transmits the user's raw search query to a third-party service without any explicit user warning or consent flow. In agent workflows, prompts and search terms may contain proprietary, regulated, or personal data, so silent exfiltration to external providers is a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The DuckDuckGo API path also sends user queries to an external service without a clear privacy warning. Because agent-supplied queries may include secrets or sensitive investigative context, this can leak data outside the trusted execution boundary.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cache stores raw search queries and full result payloads persistently in a local SQLite database without notice or controls. Search queries can contain sensitive business, personal, or security-relevant data, and persistent storage increases the chance of unintended disclosure to other local users, later processes, backups, or forensic recovery.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill transmits user search queries to external services without explicit disclosure or consent. Queries may contain confidential prompts, internal project names, credentials accidentally pasted by users, or other sensitive content, so sending them to third-party providers creates a real privacy and data-governance risk. In a search skill this behavior is expected, but the lack of transparency still makes it a valid issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal