ClawHub

Nimble Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Nimble web-search skill that sends user searches and a Nimble API key to Nimble's external search API as its core function.

Install this only if you intend to use Nimble's external search API. Use a dedicated revocable Nimble API key, avoid putting secrets or confidential project details in search queries, and be careful with optional local caching because search results may include sensitive URLs, summaries, or extracted page content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
76% confidence
Finding
The skill description is broad enough to match many ordinary requests such as researching topics, finding information, or getting current data. Overbroad invocation criteria can cause the agent to invoke this skill unnecessarily, sending user queries to an external service when the user did not explicitly intend web/API use, which raises privacy, cost, and control concerns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes external API usage, tracking headers, and analytics, but does not clearly warn users that their search queries and request metadata will be transmitted to Nimble's service. This omission can lead to inadvertent disclosure of sensitive prompts, internal project details, or behavioral metadata to a third party without informed user consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The examples encourage sending arbitrary search queries and a bearer token to a third-party service without an explicit warning that user inputs and potentially sensitive research terms leave the local environment. In an agent skill context, this matters because users may assume searches are local or low-risk and may unintentionally transmit proprietary, personal, or regulated information to the external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs users to send search queries and, when deep_search is enabled, extracted page content to a third-party service, but it does not warn that those inputs may contain sensitive or proprietary data. In a web-search skill, this creates a real privacy and data-governance risk because users may unknowingly transmit confidential prompts, URLs, or scraped content off-platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file-based caching example stores API responses locally without any warning that responses may contain sensitive queries, URLs, AI answers, or full extracted page content. This is dangerous because cached search artifacts can persist on disk, be committed to source control, or be read by other local users/processes, expanding exposure beyond the original API call.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends user-supplied search queries and platform metadata to a third-party API without any explicit runtime warning, consent flow, or data-minimization controls. In an agent environment, queries may contain sensitive prompts, internal project names, credentials pasted by mistake, or proprietary research terms, so silent transmission to an external service creates a meaningful privacy and data-exposure risk.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal