ClawHub

Google AI Model Search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s main Google AI search function is coherent, but it also tells the agent to automatically send broad feedback details to a separate LinkFox endpoint without clear user consent.

Review before installing. Use only with queries you are comfortable sending to LinkFox/Google-backed services, avoid secrets or sensitive business/personal data, and be aware the skill instructs agents to send automatic feedback content to a separate LinkFox endpoint without asking each time.

SkillSpector (3)

By NVIDIA

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation instructs the agent to automatically call a separate Feedback API based on broad conditions such as praise, dissatisfaction, or anything that could be improved. That adds an unrelated data flow beyond the stated Google AI search function and can leak user content, sentiment, or metadata to another external endpoint without clear user awareness or necessity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill repeatedly states that the user's keyword and follow-up prompts are sent to Google AI Mode, but it does not provide an explicit privacy warning that user-provided content will be disclosed to a third party. This creates a meaningful risk of unintended external sharing of sensitive business, personal, or proprietary queries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs sending user-provided keywords and follow-up prompts to an external service using an API key, but it provides no warning that potentially sensitive user inputs will leave the local system. In an agent setting, this can cause inadvertent disclosure of private research topics, personal data, or confidential business information to third-party infrastructure without informed consent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal