ClawHub

Easy Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search helper that sends queries to public search engines and caches results locally as described.

Install only if you are comfortable with your search terms being sent to public search engines and possibly through any proxy configured in your environment. Avoid searching for secrets, credentials, private customer data, or internal-only project details; use a specific engine and --no-fallback when you want tighter control over where a query goes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to submit arbitrary search queries and explicitly supports proxies, but it does not clearly warn that queries, metadata, and possibly proxy-routed traffic will be sent to third-party services. This can expose sensitive prompts, internal project names, credentials mistakenly pasted into queries, or user IP/network metadata to external search engines and proxy operators.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool sends raw user queries to third-party search engines across multiple providers, which can disclose sensitive prompts, internal project names, credentials accidentally pasted into queries, or user metadata to external services. In an agent-skill context this is more dangerous because users may assume the tool is a local capability and may not realize their inputs are being transmitted off-box.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically reads proxy settings from environment variables and routes outbound traffic through them without prominently warning the user. This can expose search queries and browsing metadata to an unexpected intermediary, especially in shared, enterprise, or preconfigured agent environments where proxy variables may already be set.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal