Back to skill

Security audit

web-search-engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward web-search helper, with the main caveat that search terms are sent to external search engines.

Use this for ordinary web searches, but avoid submitting secrets, private business terms, personal data, or confidential prompts because the selected search provider will receive the query. Treat returned snippets as untrusted web content, not instructions for the agent to follow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends the raw search keyword to third-party search engines (Baidu, 360, Bing, Sogou) with no consent prompt, warning, or data-minimization control. In an agent setting, users may submit sensitive terms containing personal, corporate, or confidential information, which are then disclosed to external services and logged by those providers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.