ClawHub

Codex Deep Search

Security checks across malware telemetry and agentic risk

Overview

This deep-search skill does the advertised research work, but it also sends research details to Telegram and triggers a local authenticated wake hook in ways that are under-scoped for general installation.

Review before installing. Use it only if you intentionally want background Codex searches, Telegram result delivery, and local OpenClaw hook signaling. Replace or remove the hardcoded Telegram group, avoid using it for confidential research unless local-only mode is enforced, and audit the hook-token behavior and hardcoded paths first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands and background processes but does not declare corresponding permissions, which weakens the trust boundary and hides its actual execution capabilities from reviewers and policy controls. In a skill that accepts user-provided prompts and launches a script, undeclared shell access increases the chance of unreviewed command execution paths or abuse through surrounding tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is deep search, but the skill also references Telegram callbacks, reading local configuration for a hook token, and authenticated POSTs to a local wake endpoint. That hidden behavior materially expands data flow and privilege use beyond user expectations, creating risks of covert exfiltration, internal service interaction, and secret handling without transparent disclosure or consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs Telegram notifications and a local wake-hook callback even though the stated skill purpose is deep web search. This expands the skill's behavior into out-of-band messaging and inter-process signaling, which can leak user queries, output paths, and summaries to other channels without being inherent to search functionality.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation includes side-channel communication capabilities beyond the manifest's described deep-search behavior. Hidden or undocumented messaging/callback behavior is dangerous because users may assume the skill only searches and writes a report locally, while it also signals external/local services with task data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include broad everyday language such as Chinese phrases meaning 'search in detail' or 'help me look this up,' which can cause the skill to activate in routine conversations where the user did not intend this higher-privilege workflow. Because the skill can spawn background tasks and send results externally, accidental invocation increases the chance of unnecessary data handling and unintended outbound communication.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends the search prompt, output path, and a result summary to Telegram, which can expose sensitive research topics or derived content to a third-party messaging channel. Because there is no in-file warning, consent flow, or content redaction, users may unknowingly leak confidential information through normal use of the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently reads a bearer token from local configuration and uses it to authenticate a callback to a local HTTP hook. Even though the destination is localhost, this is still an undisclosed privileged action that can trigger other components or workflows, potentially causing unintended automation or data propagation.

Session Persistence

Medium
Category
Rogue Agent
Content
### Dispatch Mode (recommended — background + callback)

```bash
nohup bash /home/ubuntu/clawd/skills/codex-deep-search/scripts/search.sh \
  --prompt "Your research query" \
  --task-name "notebooklm-research" \
  --telegram-group "-5006066016" \
Confidence
86% confidence
Finding
nohup

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal