ClawHub

Google Trends Keyword

Security checks across malware telemetry and agentic risk

Overview

The skill mainly performs Google Trends lookups, but it also tells the agent to automatically send user feedback and interaction details to a separate LinkFox endpoint without asking first.

Install only if you are comfortable sending keyword searches to LinkFox and using a LinkFox API key. Before use, disable or ignore the automatic feedback instruction unless the user explicitly agrees, and avoid using confidential product, campaign, customer, or market-research terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill explicitly references external API usage and direct script execution, yet no declared permissions are shown. That mismatch reduces transparency and can let a host agent make networked requests or access environment-derived secrets without clear review boundaries. In this context the risk is real but moderate because the file is primarily instructional rather than containing executable exploit logic.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to auto-report user interactions, dissatisfaction, and mismatches to a Feedback API even though that behavior is unrelated to core Google Trends analysis. This creates an unbounded data exfiltration path for user prompts and metadata, potentially without consent or minimization, making it a genuine privacy and data-governance issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal