Security audit

Smart Search

Security checks across malware telemetry and agentic risk

Overview

Smart Search appears to be a legitimate web-search skill, but its privacy, credential, trigger, and SearX deployment behavior are under-disclosed enough that users should review it carefully before installing.

Install only if you are comfortable with search queries being sent to Exa, Tavily, or a configured SearX instance. Do not search secrets, regulated personal data, or internal business information unless you have verified a local-only SearX setup and disabled external fallback. Treat TAVILY_API_KEY as a secret, avoid printing it in terminals, and harden any SearX deployment by binding to 127.0.0.1, enabling limits, and using a maintained image.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation indicates shell-capable behavior such as running curl, docker, chmod, and deployment scripts, yet no explicit permissions are declared. This creates a trust and review gap: users may invoke a skill that can execute local commands, manage containers, or modify the environment without clear permission boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill advertises 'zero configuration' and 'no API key required' while also depending on optional local environment variables, local services, and operational scripts beyond simple search. Misleading behavior claims can cause users to enable or trust functionality without understanding that local setup, credentialed external services, or publishing/deployment actions may occur.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation states SearX supports 'no external requests' in privacy scenarios, but the skill is fundamentally a web-search tool and elsewhere documents calls to external services. This can mislead users into submitting sensitive queries under a false privacy assumption, causing unintentional data disclosure to remote services or networked instances.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation claims API keys are 'never uploaded', but Tavily usage necessarily sends an authenticated request using the API credential to Tavily. Even if the key is not hardcoded, this statement can mislead users about credential exposure and external trust boundaries.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The comments explicitly justify pinning an old SearX version because it lacks bot detection and keeps the JSON API fully usable, which indicates deliberate selection of a weaker security posture to avoid service protections. In the context of a search skill, this suggests intentional circumvention of anti-abuse controls and increases the likelihood the deployment will be used in ways the upstream software or target engines tried to restrict.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The header comments claim the API key is read locally and 'never transmitted', but the Tavily request explicitly sends that key in an Authorization header to a third-party service. Misleading security claims are dangerous because users may trust the skill with sensitive queries or credentials under false assumptions.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comments state that only Exa and Tavily receive search queries, but the implementation also sends queries to a configurable SearX endpoint via SEARXNG_URL. If that endpoint is remote or attacker-controlled, user searches may be disclosed to an unintended destination.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README promotes 'zero-config' and 'privacy protection' but does not clearly warn that Exa MCP and Tavily transmit user queries to external third-party services. Users may submit sensitive prompts believing the tool is private by default, causing unintended disclosure of personal, proprietary, or regulated data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README documents `docker rm -f searx` as a routine management step without warning that deletion is irreversible for the container and may remove runtime state. In an agent skill context, users may copy-paste commands directly, so omission of cautionary language increases the chance of accidental destructive actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The restore procedure instructs users to run `rm -rf ~/searx-config` without any warning, confirmation step, or validation of the target path. Recursive forced deletion can permanently erase configuration and, if the path is mistyped or expanded unexpectedly, can destroy unrelated files in the user's home directory.

Vague Triggers

High

Confidence: 95% confidence
Finding: The triggers include very broad common words like 'search', 'find', 'latest', 'write', and 'deep', which can cause the skill to activate unintentionally during normal conversation. Because the skill sends queries to external search providers, accidental invocation can expose user prompts, drafts, or sensitive context without clear intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill heavily promotes convenience and privacy but does not clearly warn users that many searches are transmitted to third-party services including Exa and optionally Tavily or SearX instances. Missing disclosure weakens informed consent and increases the risk that users send confidential, regulated, or personal information externally.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list contains broad everyday phrases such as '搜索', '最新的', and content categories like '写文案', making accidental activation likely. In a skill that can perform network requests and shell-capable actions, unintended invocation increases the chance of unreviewed data transmission or command execution flows.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Ambiguous triggers based on broad content categories rather than precise commands can cause the skill to activate in unrelated conversations. Because this skill interfaces with external services and local tooling, over-broad routing meaningfully raises the risk of unintended search queries or side effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide instructs users to place a live API key in a plaintext environment file and later inspect it with commands that can reveal the secret, but it gives no warning about credential sensitivity, file permissions, shoulder-surfing, terminal scrollback, or shell history exposure. This is a real secret-handling weakness because users may copy, display, or store the key insecurely, increasing the chance of credential leakage and abuse of the Tavily account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The troubleshooting example embeds the API key directly in a curl command's Authorization header without warning that the secret may be captured in shell history, process listings, terminal logs, or recorded support screenshots. That makes accidental credential disclosure more likely and could allow unauthorized use of the API quota or account.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The routing logic marks privacy-sensitive queries for SearX, but fallback logic can silently resend the same sensitive query to Exa or Tavily if SearX fails. That defeats the privacy-preserving intent and may expose medical, financial, account, or other sensitive searches to external providers without explicit consent.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 85% confidence
Finding: The trigger '搜索' is extremely broad and likely to match many ordinary user requests. In a network-enabled skill, this can cause unintentional activation and unnecessary transmission of user queries to external providers.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 84% confidence
Finding: The trigger '查查' is colloquial and highly ambiguous, so it may activate on casual language not intended to invoke the skill. That increases the risk of accidental query submission or unexpected behavior.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 82% confidence
Finding: The trigger '深度' is too generic and may match normal descriptive language rather than an invocation. Overly short triggers are especially risky in tools that initiate remote lookups or optional local operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal