Web Search Local

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local web-search skill, but users should review it because authenticated proxy credentials can be printed in logs and searches are sent to external providers and cached locally.

Install only if you are comfortable with search terms going to external search engines and being cached locally for a short period. Avoid embedding usernames or passwords in proxy URLs unless the script is changed to redact logs, and use --no-cache or --cache-clear for sensitive searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises executable behaviors that require network access plus local file read/write through caching and optional output-file writing, yet it declares no permissions. This creates a transparency and governance gap: users or orchestrators may invoke a capability set broader than expected, increasing the chance of unauthorized data access, persistence, or network use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documentation understates the actual capability surface: beyond simple search, the skill supports arbitrary output-file writes, proxying, redirect-control, cache management, and an extra urllib-based fetch path. In an agent setting, undocumented capabilities are dangerous because they can be repurposed for data exfiltration, stealthier network routing, or filesystem side effects that users did not consent to.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill sends user queries to external search engines and can also route them through user-specified proxies, but the README does not warn that search terms, IP/proxy metadata, and possibly request fingerprints will be disclosed to third parties. In an agent context, users may submit sensitive prompts or operational queries assuming local handling, so the lack of disclosure increases privacy and data-leakage risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list contains common phrases such as 'search', '帮我找', and similar everyday wording that can match benign conversational text. Overbroad activation can cause the skill to run unexpectedly, leading to unintended external network requests, disclosure of user queries to third-party search engines, and accidental file/cache side effects.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The natural-language activation guidance is broad and lacks explicit exclusion rules, so many ordinary requests for information could auto-route into this skill. In this context, that is risky because the skill performs outbound web access and caching, which may expose user prompts or create state even when the user did not clearly request a web search tool.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: User queries are sent to third-party search engines and also cached locally under the user's home directory without any explicit user-facing notice or consent flow. In an agent skill context, users may submit sensitive internal terms, names, incident details, or credentials by mistake, causing privacy leakage to external providers and persistent local storage of sensitive searches.

Natural-Language Policy Violations

Medium

Confidence: 73% confidence
Finding: The WebFetch fallback hard-codes the cn.bing.com endpoint and Chinese language headers without explicit user choice, which can route queries to a different regional service and disclose user searches under an unexpected locale/jurisdiction. In a search skill that may process sensitive prompts, silently changing provider region increases privacy and compliance risk.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 80% confidence
Finding: A single-word trigger like '搜索' is so short and generic that it increases accidental activation risk. Given that activation leads to outbound searches and cache/file activity, even low-friction false positives can expose user queries or trigger unnecessary network operations.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 90% confidence
Finding: Using 'search' as a trigger conflicts with a common built-in command name, creating command-shadowing risk. In an agent environment, that can divert user intent from a safer or expected native search pathway into this skill's broader behavior set, including undocumented proxy, redirect, and file-output features.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 77% confidence
Finding: The trigger '百度' is brief and may appear in normal discussion without meaning 'invoke this skill.' That ambiguity can result in unintended web requests and query disclosure to external services when the user may only be referencing a search engine conversationally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal