ClawHub

Perplexity AI Search - security-hardened version (bash-based)

Security checks across malware telemetry and agentic risk

Overview

This is a Perplexity search helper that does what it says, though it sends queries to Perplexity and includes an unused GitHub web-fetch permission users should notice.

Install this only if you intend to use a billable Perplexity API key and are comfortable sending search prompts, plus any custom system prompt you provide, to Perplexity. Use a dedicated key, monitor usage, avoid confidential or proprietary queries, and consider removing or questioning the unused GitHub WebFetch permissions before installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell and environment-variable based capabilities but does not declare permissions in the manifest. That mismatch weakens policy enforcement and user/agent transparency, making it easier for a skill to execute commands or access secrets without explicit review. In this context, the skill is intended to call external tooling and use API credentials, so undeclared capabilities are a real governance and containment issue.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description says the skill is the default whenever the user needs current information or references, which is broad activation logic. Over-broad routing can cause unintended invocation of a networked, credential-using skill for loosely related prompts, increasing data exposure and unnecessary external transmission. The skill context makes this more significant because it explicitly sends user queries to a third-party API.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically retrieves an API key from config.json or the environment and sends it to a third-party service without any explicit user-facing disclosure or consent mechanism at runtime. While this is the expected behavior of an API client, it still creates a real data-transfer risk in agent environments where users may not realize credentials are being used for outbound requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The user query and optional system prompt are serialized into a JSON request body and transmitted to an external API. In an agent setting, prompts can contain sensitive user data, internal instructions, or proprietary context, so sending them off-box without clear disclosure can result in unintended data exfiltration.

External Transmission

Medium
Category
Data Exfiltration
Content
1. **No command injection** - User input is passed to Python via environment variables, never interpolated into code strings
2. **Input validation** - All parameters are validated (numeric ranges, allowed model names, allowed context values)
3. **API key protection** - The Authorization header is passed to curl via a temporary config file (`curl -K`, mode 600) and the request body via stdin (`--data @-`), so neither the API key nor the body appear in process listings (`ps aux`)
4. **Query length limit** - Queries are capped at 8000 characters to prevent denial-of-wallet attacks
5. **Strict model allowlist** - Only known valid models are accepted
Confidence
88% confidence
Finding
curl via a temporary config file (`curl -K`, mode 600) and the request body via stdin (`--data

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal