Back to skill

Security audit

Tsearch Web Search

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real web-search tool, but it has enough under-scoped external data sharing and local persistence behavior that users should review it before installing.

Install only if you are comfortable sending search queries, API credentials, and session/app metadata to LinkFox or to any host set in LINKFOX_TOOL_GATEWAY. Keep that gateway variable trusted, avoid confidential searches, and periodically clean the local linkfox cache/output folders if the workspace may be shared or committed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Vague Triggers

High
Confidence
96% confidence
Finding
The activation description is extremely broad and says the skill should trigger for essentially any request involving current facts or online information, even when the user did not explicitly ask to search. This can cause unnecessary invocation of an external web-retrieval capability, increasing the chance of over-collection of third-party content, misrouting user tasks, and bypassing more appropriate tools or safer workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that it automatically extracts page content from top results, but the description does not clearly warn users at invocation time that using the skill sends queries to external services and retrieves full third-party page text. This reduces transparency and informed consent, especially when searches may include sensitive topics or when users may expect only links rather than content extraction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically transmits SESSION_ID, MODE_ID, and APP_NAME from the environment to a remote service without any consent prompt or clear warning at runtime. In an agent environment, these values may reveal internal workflow, tenant, or session metadata and become more dangerous when combined with the configurable gateway endpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists full API responses to disk by default, which may include sensitive search contents, API-returned data, or session-associated information. In an agent/workspace setting, automatic long-lived storage increases exposure to later unauthorized access, accidental commit, or leakage across tasks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.