Security audit

Liner Search (MCP)

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed MCP bundle that connects OpenClaw to Liner's hosted search service using an API key, with no executable code or hidden behavior found.

Install only if you are comfortable sending search and research prompts to Liner's hosted MCP service. Use OAuth or store LINER_API_KEY in a protected environment file, do not paste real API keys into shared config snippets, screenshots, logs, or source control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README includes a client configuration example with a realistic bearer token format (`sk_live_...`) embedded directly in headers, which can normalize unsafe secret-handling practices and lead users to paste long-lived credentials into plaintext config files. In the context of an MCP bundle that connects to a hosted remote service, this increases the chance of credential leakage through local files, screenshots, logs, or accidental commits.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal