ClawHub

Xyz

Security checks across malware telemetry and agentic risk

Overview

This is a normal web-search skill with documentation mistakes and external-query privacy considerations, but no evidence of hidden, destructive, or unrelated behavior.

Before installing, confirm the correct script entry point and treat all search queries as data that may leave your machine. Use limited API keys, configure SearXNG only to a trusted instance, and avoid submitting secrets, private customer data, or regulated information unless that external transmission is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation presents the skill as a straightforward web-search tool but later describes a substantially different deep-research workflow with iterative LLM analysis and external dependencies. This mismatch is dangerous because operators may enable or trust the skill under false assumptions about its behavior, scope, and data flows.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file explicitly instructs users to run `python scripts/xyz.py` while later claiming that no executable script exists. This is a high-risk integrity issue because it can mislead users, reviewers, or automation into invoking nonexistent or substituted code, creating an opportunity for accidental execution of unintended files or supply-chain style confusion.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims direct support for multiple providers and env-driven execution, but later says real search is delegated to another external skill. This inconsistency obscures the true trust boundary and data path, which can lead to unreviewed external calls, incorrect security assumptions, and incomplete hardening of the actual component performing the searches.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Claiming standard-library execution behavior, optional dependencies, and startup network checks implies runnable code, yet the file later says no executable script exists. This discrepancy can cause reviewers to miss where network access actually happens and weakens security review by hiding the true implementation surface.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script performs outbound connectivity checks before processing the user's actual search. Even though the probe target is hardcoded and not obviously malicious, it creates unsolicited network activity that is unrelated to the specific user request and can leak execution metadata or create policy/compliance issues in restricted environments.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The SearXNG backend allows the destination host to be fully controlled by the SEARXNG_URL environment variable, enabling arbitrary outbound HTTP requests. In agent environments this can be abused for SSRF-like behavior, internal service access, or unintended transmission of user queries to attacker-controlled infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes sending user queries to third-party search engines and LLM services but does not warn users that their prompts and possibly sensitive context will leave the local environment. In agent workflows, this can expose confidential research topics, proprietary data, or personal information to external providers without informed consent.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation instructs users to configure API keys in environment variables but does not include guidance on protecting secrets or avoiding exposure through logs, shell history, or shared environments. While common, this omission increases the risk of credential leakage and misuse in multi-user or poorly controlled deployments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal