Back to skill

Security audit

Search

Security checks across malware telemetry and agentic risk

Overview

This is a real web-search skill, but it embeds a Tavily API key and runs an unreviewed local Python script for normal searches, so it needs careful review before use.

Review before installing. Avoid sensitive searches unless you remove and rotate the embedded Tavily key, verify or vendor the external Python script, and fix the multi-engine path so its behavior matches the documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The search skill invokes a local Python script via subprocess to fulfill a web-search request, which grants a much broader execution capability than the tool’s stated purpose requires. Even though the command and script path are fixed here, this expands the attack surface to local code execution, script tampering, and unintended access to local resources if the script or environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill reads backend URLs and API credentials from environment variables, including a local SearXNG endpoint and Tavily API key, despite being presented as a generic search tool. Accessing credentials and internal configuration increases sensitivity because the tool now depends on secrets and potentially internal services that are not obvious from its public purpose.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments state the multi-search branch works without an API key, but the implementation still loads and passes a Tavily API key. This mismatch is security-relevant because it can mislead reviewers and users about credential usage, causing unapproved secret disclosure to a subprocess or external dependency.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comment claims it calls a multi-search-engine skill, but it actually executes the same Tavily Python script path used elsewhere. This deceptive or inaccurate implementation can hide the true execution path from reviewers, making it harder to assess data flow, third-party dependency use, and secret exposure.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded fallback Tavily API key is embedded directly in the source. Hardcoded credentials are dangerous because they can be extracted from source control or deployments, abused by unauthorized parties, and may bill or impersonate the owner without user knowledge.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill executes an external Python script as part of search behavior without clear disclosure to users. Hidden subprocess execution matters because users may expect a constrained web lookup but instead trigger local code execution paths with different security and privacy properties.

Missing User Warnings

High
Confidence
99% confidence
Finding
The same hardcoded fallback API key is reused in the multi-engine branch, compounding the credential exposure problem and extending it to another execution path. This broadens the chance of unauthorized usage and makes the secret harder to eliminate safely because multiple branches depend on it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A second branch also launches a subprocess without clear user-visible warning, increasing the likelihood that users unknowingly trigger local script execution. Repeated hidden execution paths indicate a broader design issue where the skill’s actual capabilities exceed its declared search-only scope.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code embeds a live-looking Tavily API key as a fallback when the environment variable is absent. Hardcoded credentials are dangerous because they can be extracted from source control, reused by unauthorized parties, and may cause the application to silently use a shared secret in production without operator awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
plugin.ts:74

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
providers/searxng.ts:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
providers/tavily.ts:8