A google search powered by scrapingdog

Security checks across malware telemetry and agentic risk

Overview

This is a small ScrapingDog-backed Google search skill whose third-party network use is expected for its purpose, though users should avoid sensitive search terms.

Install only if you are comfortable sending search queries to ScrapingDog using your SCRAPINGDOG_API_KEY. Avoid using it for secrets, credentials, confidential business content, or regulated personal data, and be aware that the bundled script may need a small bug fix before it runs successfully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 91% confidence
Finding: The skill uses very broad auto-invocation language such as 'whenever the user wants to search the web' and even when they do not explicitly request this tool. That can cause the agent to route general requests into an external-network skill unexpectedly, sending user queries to a third party and increasing the chance of unintended data disclosure or overuse of external capabilities.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup and usage text does not clearly warn that entered queries are transmitted to the external ScrapingDog service, which may process or log them. Without an explicit disclosure, users or higher-level agents may pass sensitive prompts, identifiers, or internal information to a third party without informed consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal