ClawHub

InfoQuest Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward BytePlus InfoQuest search and URL extraction skill with expected third-party API use and no hidden privileged behavior found.

Install only if you are comfortable sending searches, image queries, site filters, and URLs to BytePlus InfoQuest. Do not use it for secrets, internal-only URLs, or confidential research topics unless that matches your policy. Keep INFOQUEST_API_KEY in an environment variable or secret manager, avoid committing it, and prefer Node.js 18+ or a pinned node-fetch version if older Node.js support is needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly sends user-provided search queries and extraction targets to the external BytePlus InfoQuest service, but the description does not warn users that their prompts, URLs, and potentially retrieved content leave the local environment. This can cause inadvertent disclosure of sensitive research topics, internal URLs, or confidential content when an agent uses the skill in contexts where users may assume local-only processing.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The setup instructions tell users to export an API key but do not warn them to avoid pasting real credentials into shared shells, transcripts, screenshots, or logs. While this is common documentation style, it still increases the chance of accidental credential exposure during setup or debugging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal