ClawHub

Kagi Enrich

Security checks across malware telemetry and agentic risk

Overview

The Kagi search function is coherent, but the wrapper can download and immediately run an unverified GitHub release binary.

Install only if you are comfortable with a paid Kagi API key and a local executable in the skill directory. Prefer building from the included Go source. If using the prebuilt path, verify the release checksum or signature before running it, because the wrapper does not enforce verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This wrapper does more than invoke a search tool: it conditionally builds code and, if that fails, downloads and installs a prebuilt executable from GitHub releases. That creates an unexpected software installation/update path with remote code execution implications, which exceeds the stated search-only purpose and increases supply-chain risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script fetches release metadata from GitHub and downloads an executable binary, then marks it executable and runs it. Downloading and executing an unverified remote binary is a classic supply-chain risk: if the release, repository, account, or transport assumptions are compromised, arbitrary code can run on the host.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill sends user search queries to Kagi's external API, but the description does not clearly warn users that their prompts and search terms leave the local environment. This is a privacy transparency issue: users may disclose sensitive topics assuming the tool is local-only, leading to unintended third-party data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends the user-supplied search query to Kagi's external API via an HTTP request, but the program does not provide any runtime disclosure or consent mechanism before transmitting potentially sensitive user input off-box. In a skill context, users may reasonably assume their query is processed locally unless told otherwise, so this can leak private topics, internal terms, or regulated data to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
aarch64|arm64) ARCH="arm64" ;;
esac

TAG=$(curl -fsSL "https://api.github.com/repos/joelazar/kagi-skills/releases/latest" | grep '"tag_name"' | cut -d'"' -f4)
BINARY="kagi-enrich_${TAG}_${OS}_${ARCH}"

mkdir -p {baseDir}/.bin
Confidence
90% confidence
Finding
https://api.github.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal