ClawHub

multi-search-engine

Security checks across malware telemetry and agentic risk

Overview

This is a coherent search-helper skill, but users should avoid sensitive queries and treat the advanced search examples carefully.

Install only if you are comfortable with search terms being sent to external engines. Do not enter secrets, personal data, internal identifiers, or confidential business content. Provide optional API keys only if needed, keep them restricted, and use the advanced search examples only for legitimate, authorized research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill clearly routes user queries to third-party search engines and may use optional API-backed providers, yet it does not disclose that user input will be transmitted externally. This can lead to unintended sharing of sensitive prompts, internal identifiers, or regulated data with search providers, especially because the skill is positioned for broad use and supports many external engines including scraping-based access.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The guide explicitly documents parameters that disable safe-search or family filters without any safety framing. In a general-purpose search skill, that lowers built-in safeguards and can lead users or downstream agents to retrieve explicit, unsafe, or policy-violating content more easily.

Ssd 2

Medium
Confidence
92% confidence
Finding
Examples such as searching for login pages, exposed password text files, or open indexes are reconnaissance-oriented and can facilitate discovery of sensitive or misconfigured resources. In a generic search-engine integration skill, this context makes the content more dangerous because it normalizes dork-style queries without defensive framing or authorization boundaries.

Ssd 4

Medium
Confidence
86% confidence
Finding
The progression from standard operators to cached-page viewing, deleted-content retrieval, related-site enumeration, and sensitive-resource discovery creates a practical reconnaissance playbook. While the content is not overtly exploit code, the skill context is general search assistance, so this stepwise framing increases misuse potential for unauthorized information gathering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal