Back to skill

Security audit

Querit Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web search and page-content extraction skill with normal privacy and supply-chain cautions, but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending search terms to Querit.ai and allowing optional page extraction to fetch selected URLs from your machine. Keep QUERIT_API_KEY private, do not include secrets or internal URLs in queries, treat fetched page text as untrusted, and prefer reviewing or pinning the installer source instead of running the one-line installer blindly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation declares environment-variable requirements and shell-based Node entrypoints that clearly imply network and command execution capabilities, yet no explicit permissions are declared. This creates a transparency and governance gap: users or platforms may invoke the skill without understanding that it can access secrets, execute commands, and send data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a search tool returning structured search results, but the documentation also exposes arbitrary URL fetching and full page content extraction. That mismatch is dangerous because users and orchestration systems may authorize or auto-invoke the skill for low-risk search tasks while it actually performs broader remote content retrieval and transformation, increasing data exposure and SSRF-like abuse surface depending on implementation.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation materially differs from the declared skill purpose: instead of using the Querit.ai search API to return structured search results, it directly fetches and processes arbitrary user-supplied URLs. This creates a broader and riskier capability surface, including arbitrary outbound requests and content retrieval that users and policy layers may not expect from a search skill.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The file-level documentation and CLI usage explicitly describe a content-extraction tool, contradicting the stated skill identity as a web search integration. This kind of capability mismatch is dangerous because it can conceal higher-risk behavior from reviewers, users, or automated governance controls that rely on metadata to understand what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it returns structured search results, but the code also supports fetching full page content from returned URLs via the --content option. This expands the tool's behavior from simple search into arbitrary remote content retrieval, which can expose users or downstream agents to unexpected data access, larger prompt injection surface, and privacy/security risks not disclosed by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code launches a child Node.js process to run content.js for each result URL, adding subprocess execution to what is described as a search utility. Even though execFile avoids shell injection, this design increases attack surface and allows unreviewed secondary behavior in another script, which is especially risky when processing attacker-controlled URLs from search results.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages automatic web searching and page-content fetching but does not warn users that their prompts, queries, and requested URLs will be transmitted to external services and remote websites. In an agent setting, this can lead to inadvertent disclosure of sensitive data or internal research context, especially because the skill is described as being used automatically when needed.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation guidance is extremely broad ('any web content', documentation, facts, current events), making the skill likely to trigger for many common requests. Over-broad routing increases the chance that sensitive user prompts, proprietary research, or regulated queries are unnecessarily sent to an external service or resolved through a higher-risk tool than intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation does not warn users that search queries, fetched URLs, and potentially extracted page content are transmitted to an external third-party service. This is a data-handling vulnerability because users may unknowingly send sensitive prompts, internal URLs, or confidential content off-platform without informed consent.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The code performs an outbound fetch to any provided URL without any explicit user-facing notice that arbitrary remote servers will be contacted. While this is common in network tools, in an agent skill context it can expose user-provided URLs, trigger requests to unintended destinations, and make the skill's data flow less transparent than expected.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The optional content-extraction path performs additional remote retrieval and subprocess execution beyond ordinary search, but the interface provides no meaningful safety warning about the expanded trust boundary. This can surprise users and agents by pulling untrusted page content into the workflow, increasing exposure to prompt injection, sensitive-data leakage, or unintended access to malicious pages.

External Script Fetching

Low
Category
Supply Chain
Content
set -euo pipefail

# Querit Search — OpenClaw Skill Installer
# Usage: curl -fsSL https://raw.githubusercontent.com/interskh/querit-search/main/install.sh | bash

SKILL_DIR="${HOME}/.openclaw/skills/querit-search"
REPO_BASE="https://raw.githubusercontent.com/interskh/querit-search/main"
Confidence
95% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/interskh/querit-search/main/install.sh | bash

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Web search via Querit.ai API for OpenClaw",
  "license": "MIT",
  "dependencies": {
    "@mozilla/readability": "^0.6.0",
    "jsdom": "^27.0.1",
    "turndown": "^7.2.2",
    "turndown-plugin-gfm": "^1.0.2"
Confidence
88% confidence
Finding
"@mozilla/readability": "^0.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "@mozilla/readability": "^0.6.0",
    "jsdom": "^27.0.1",
    "turndown": "^7.2.2",
    "turndown-plugin-gfm": "^1.0.2"
  }
Confidence
88% confidence
Finding
"jsdom": "^27.0.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@mozilla/readability": "^0.6.0",
    "jsdom": "^27.0.1",
    "turndown": "^7.2.2",
    "turndown-plugin-gfm": "^1.0.2"
  }
}
Confidence
87% confidence
Finding
"turndown": "^7.2.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@mozilla/readability": "^0.6.0",
    "jsdom": "^27.0.1",
    "turndown": "^7.2.2",
    "turndown-plugin-gfm": "^1.0.2"
  }
}
Confidence
87% confidence
Finding
"turndown-plugin-gfm": "^1.0.2"

Chaining Abuse

High
Category
Tool Misuse
Content
set -euo pipefail

# Querit Search — OpenClaw Skill Installer
# Usage: curl -fsSL https://raw.githubusercontent.com/interskh/querit-search/main/install.sh | bash

SKILL_DIR="${HOME}/.openclaw/skills/querit-search"
REPO_BASE="https://raw.githubusercontent.com/interskh/querit-search/main"
Confidence
97% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.