Security audit

yandex-image-search

Security checks across malware telemetry and agentic risk

Overview

This skill performs disclosed reverse image search using external search engines, with privacy and cleanup cautions but no artifact-backed malicious behavior.

Install only if you are comfortable sending searched images or image URLs to Yandex, Google Lens, or Bing. Avoid private or sensitive images unless that sharing is acceptable, consider pinning dependencies in controlled environments, and delete /tmp/openclaw-yandex-debug-*.html files after failed Yandex runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The function writes full fetched Yandex HTML responses to predictable files under /tmp. Those pages can contain sensitive query-related data, debugging artifacts, or service response details, and persisting them to shared local storage creates unnecessary data exposure beyond the stated reverse-image-search purpose.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The diagnostic flow collects detailed Yandex response metadata, parses internal page-state structures, and returns recovered content beyond normal search results. This expands the tool's data collection surface and may expose internal response details, URLs, titles, and other query-linked information not necessary for the skill's advertised function.

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: On Yandex failure, the script returns verbose attempt logs and diagnostics rather than a minimal error. This can leak environmental details, backend behavior, final URLs, parsing markers, and filesystem paths that are not needed by end users and can aid reconnaissance or expose sensitive operational data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill sends user-provided image URLs or local image files to third-party reverse image search services, but the description does not warn users that their data will leave the local environment. That can expose sensitive images, embedded metadata, internal URLs, or private file contents to external services without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends either local image files or user-supplied image URLs to third-party reverse-image-search providers, which is inherent to the feature but still a real privacy/security concern when done without explicit disclosure or consent handling. In this skill context, that risk is elevated because users may provide sensitive local images expecting analysis, not external transmission to multiple outside services.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Saving raw Yandex debug HTML to /tmp can persist sensitive search-related content on disk without user awareness. In multi-user or monitored environments, temporary directories may be accessible to other processes or retained longer than expected, increasing the chance of unintended disclosure.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal