ClawHub

Multi Search Engine

Security checks across malware telemetry and agentic risk

Overview

This is a normal search helper, but its guide includes unsafe search examples for finding exposed passwords, admin pages, directory listings, and deleted cached content.

Review before installing. Use only for legitimate web research, avoid searches intended to uncover passwords, admin panels, private files, or removed content, and do not put secrets, personal data, internal domains, or confidential project names into search queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation includes search examples such as `inurl:login admin`, `intitle:"index of" mp3`, and especially `intext:password filetype:txt`, which are classic dorking patterns used to locate exposed credentials or sensitive resources. In a general multi-search skill, these examples unnecessarily normalize recon techniques that can facilitate unauthorized access or discovery of leaked data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends using search-engine cache to view deleted content, which can encourage retrieval of information the publisher intended to remove. That expands the skill from neutral search assistance into guidance for bypassing content removal expectations and accessing stale sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to send arbitrary search queries to numerous third-party search engines, but it does not disclose that those queries leave the local environment and may be logged, profiled, or correlated by external providers. This is especially risky because queries may contain sensitive research terms, internal domains, file names, credentials pasted by mistake, or other private data, and the inclusion of many providers increases the exposure surface.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal