ClawHub
Back to skill

Security audit

Keenable Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that uses a disclosed third-party MCP endpoint, with normal privacy and API-key cautions for that kind of integration.

Install only if you are comfortable sending search queries and fetched URLs to Keenable's hosted service. Do not use it for secrets, internal-only URLs, regulated data, or private account pages unless your organization has approved that data flow. If you use an API key, store it in a secure agent configuration or secret manager rather than committing it to shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly routes user search queries and requested URLs to a third-party hosted MCP endpoint, and may return third-party page content, but it does not clearly disclose the privacy and data-handling implications to the user. This creates a real transparency and data-exposure risk because users may submit sensitive queries or internal URLs without realizing they are being transmitted off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
want in natural language and it returns ranked results with titles, URLs, and
snippets, or fetches a known URL as clean, LLM-ready markdown.

**MCP server:** `https://api.keenable.ai/mcp` (Streamable HTTP)
**Free tier:** works keyless — a rate-limited public endpoint, no signup
**API key:** set the `X-API-Key` header to raise rate limits (and to enable the
low-latency `realtime` search mode on eligible accounts) — [keenable.ai](https://keenable.ai)
Confidence
89% confidence
Finding
https://api.keenable.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "mcpServers": {
    "keenable": {
      "url": "https://api.keenable.ai/mcp",
      "headers": { "X-API-Key": "YOUR_KEENABLE_API_KEY" }
    }
  }
Confidence
92% confidence
Finding
https://api.keenable.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal