ClawHub

NetDisk Search

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent net-disk search/deployment helper, but it needs review because it can deploy a persistent network service and send searches, links, and passwords to an API without strong consent or scoping.

Install only if you intend to run a self-hosted net-disk search service. Review the Docker image source, bind the service to localhost or firewall it, enable authentication, avoid using sensitive search terms or private share links with remote API endpoints, and do not reuse important passwords because the deploy script prints them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes shell execution, environment-variable use, network access, Docker deployment, and remote downloads, yet no permissions are declared. This can cause an agent or user to invoke powerful capabilities without clear consent boundaries, increasing the risk of unintended command execution, network exposure, and data transmission.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script removes an existing container using the original requested name before it later changes the effective container name in web mode by appending '-web'. As a result, an old web-mode container may be left running and the new deployment can fail or behave unpredictably, creating operational and security drift if users believe they replaced the running service when they did not.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented trigger phrases are broad enough to match ordinary user requests such as searching for movies, resources, or deploying services, which can cause the skill to activate when the user did not explicitly intend to invoke it. In an agent setting, this increases the chance of unexpected network searches or deployment-related actions being performed from casual conversation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README presents one-command deployment that pulls and runs a container but does not clearly warn that this installs software, exposes a network service, and may persist across reboots via restart policies. In an agent-assisted workflow, a user may interpret this as a harmless setup step and unknowingly authorize system-changing actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include broad everyday language such as 搜资源/找资源/找电影, making accidental activation more likely during normal conversation. In a skill that can run scripts and deploy services, ambiguous invocation materially raises the chance of unintended network calls or shell actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The documentation says the agent will automatically call scripts based on natural-language requests, but it does not define strict trigger boundaries or safety checks. This creates a realistic pathway for unintended execution of search, link checking, or deployment behavior from loosely phrased user messages.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to deploy a Docker container and expose port 8888, but it does not warn about network exposure, authentication, or the risks of running a third-party image. Users may unintentionally start an unauthenticated local service reachable beyond localhost, expanding the attack surface.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill omits a privacy warning that search keywords and user-submitted links are sent to the API service for processing. Because the skill handles potentially sensitive queries and URLs, users may disclose personal, confidential, or legally sensitive information without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that GET /api/search is equivalent to POST and accepts parameters via the URL query string, but it does not warn that search terms and filters placed in URLs are commonly logged by browsers, reverse proxies, web servers, analytics systems, and shared history. If users search for sensitive or copyrighted content, those terms may be exposed unintentionally even when the service is only bound to localhost behind other infrastructure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-supplied links and optional extraction passwords to an HTTP API endpoint, and by default may auto-detect and use a local or explicitly supplied server without clearly warning the user that sensitive data will be sent off-process. This is dangerous because share links and extraction codes can be private access credentials, and transmission over plain HTTP or to an untrusted API could expose them to interception, logging, or misuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script echoes the configured username and password in cleartext to stdout after deployment. This can leak secrets into terminal scrollback, shell logging, CI/CD logs, remote session transcripts, and shared administration consoles, exposing credentials to unintended viewers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user search keywords and optional include/exclude filter terms to an API endpoint, including non-local candidates such as https://netdisk-search.example.com, without any explicit notice or consent prompt. Because these queries may reveal sensitive interests or potentially illegal/personal search activity, silent network transmission creates a real privacy and data-exposure risk, especially since the endpoint can also be supplied via environment variable or CLI override.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal