ClawHub

media-search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real media-search skill, but it needs Review because it handles API credentials unsafely by logging tokens and disabling HTTPS certificate verification.

Review or fix this before installing in a sensitive environment. At minimum, remove token/header logging, enable HTTPS certificate verification, protect or avoid the local token cache, and treat all searches as data sent to an external media API. Avoid sensitive queries unless you trust the API provider and the local machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities requiring environment variable access, network access, and file writes/reads, but no explicit permissions are declared. This creates a trust and review gap: an agent may invoke a skill with broader capabilities than users or platform policy expect, increasing the risk of unintended data access or exfiltration. In this context, the skill performs external media queries and can write result files, so undeclared capabilities are materially relevant rather than theoretical.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README describes behavior beyond simple media search: it persistently stores authentication tokens and all search results on disk by default. In a tool used for investigations, research, or competitive monitoring, this can expose sensitive queries, retrieved content, and reusable credentials to other local users, backup systems, or unrelated processes if the host is compromised or shared.

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
Stating that HTTPS certificate verification is disabled by default indicates insecure network transport settings. This enables man-in-the-middle interception or modification of API traffic, which is especially risky here because the tool handles API credentials, tokens, and potentially sensitive search queries and results.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation gives conflicting statements about persistence: one section says results are only saved when --output-file is specified, while another says all results are auto-saved to the sources folder. This ambiguity can cause operators to mishandle sensitive search results, either assuming nothing is stored when files are actually persisted or failing to clean up retained data. Because this skill processes news research and potentially sensitive investigative queries, unclear storage behavior increases privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code logs the full request headers before making the API call, and those headers include the authentication token. If logs are accessible to operators, aggregated into centralized logging systems, or exposed during debugging, the token can be reused to impersonate the service and query the upstream media API. In a search skill, credential exposure is unnecessary and creates a direct secret-leak path.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code globally suppresses urllib3 InsecureRequestWarning and later makes the token request with TLS verification disabled. This enables man-in-the-middle interception of the token exchange, allowing an attacker on the network path to steal API credentials or return a malicious token response without visibility to operators.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill silently persists full search results, including summaries and article content, into a local sources directory even though the manifest describes only search/retrieval behavior. This creates an unexpected data-retention channel that can store sensitive queries, licensed content, or investigation material on disk, increasing exposure to later unauthorized access or unintended reuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic persistence of search results and token cache without a prominent warning creates a confidentiality and privacy risk. Users may run searches involving sensitive topics, persons, or investigations, and the silent creation of local artifacts increases exposure through local compromise, syncing, backups, or accidental sharing.

Missing User Warnings

High
Confidence
98% confidence
Finding
Mentioning that certificate verification is disabled by default without making it a prominent warning understates a serious transport-security issue. Because this skill sends authenticated requests to an external API, weak TLS validation can expose credentials, tokens, and search content to interception or tampering.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger description includes very broad everyday phrases such as '查一下' and '搜一下', which can cause the skill to activate in many unrelated conversations. Over-broad invocation increases the chance of unintended network searches, external data disclosure through query terms, and execution in contexts where the user did not intend this tool to be used. Since the skill can access external services and store outputs, accidental activation is more dangerous than for a purely local, read-only helper.

Missing User Warnings

High
Confidence
99% confidence
Finding
The request explicitly disables TLS certificate verification while transmitting both user search queries and an authentication token. This enables man-in-the-middle attacks where an attacker on the network path can intercept or modify traffic, steal the token, and tamper with returned media results. In a news and intelligence search skill, result integrity matters because poisoned responses can mislead downstream reporting or analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The token manager persists access tokens and related metadata in a local JSON file in the project directory, but does not set restrictive file permissions, encrypt the cache, or otherwise protect the stored token. On shared hosts or multi-user environments, another local user or process could read or replace the file and reuse or tamper with the token.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
python3 search.py --json-input '{"keywords": "test"}' --output-file sources/result.json

# 使用结果后,如不再需要则清理
rm sources/result.json  # 删除临时JSON文件
```

## Examples
Confidence
91% confidence
Finding
rm sources/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal