Web Search Plus 2.8.6

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-search skill whose external provider use, API keys, and local caching match its stated purpose, with privacy considerations users should understand.

Install only if you are comfortable with search terms, URLs, and optional full-content retrieval being sent to the configured provider and cached locally. Add only the provider keys you intend to use, disable providers you do not want, use SearXNG for privacy-sensitive searches, and use --no-cache or --clear-cache when needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Tainted flow: 'req' from input (line 217, user input) → urllib.request.urlopen (network output)

Medium

Category: Data Flow
Content: headers={"User-Agent": "ClawdBot-WebSearchPlus/2.5", "Accept": "application/json"} ) with urllib.request.urlopen(req, timeout=10) as response: data = response.read().decode("utf-8") import json result = json.loads(data)
Confidence: 94% confidence
Finding: with urllib.request.urlopen(req, timeout=10) as response:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and documents capabilities that read environment variables, read/write local files, and make network requests, but it does not declare permissions accordingly. This can prevent users or hosting frameworks from accurately understanding and constraining what the skill can access, increasing the risk of unintended data exposure or overly broad execution in environments that rely on declared permissions.

Description-Behavior Mismatch

Low

Confidence: 85% confidence
Finding: The skill persists search queries, provider selections, and provider health/error history to local JSON files while presenting itself primarily as a unified search/router. That creates an undisclosed local data-retention behavior that may expose sensitive user prompts, interests, or operational metadata to other local users, backups, or forensic collection.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes sending arbitrary search queries to multiple third-party providers but does not prominently warn users that their prompts, URLs, and potentially sensitive research terms will leave the local environment. In an agent skill context, users may assume a generic 'search' action is low-risk and unknowingly transmit confidential, regulated, or internal data to external services with different retention and privacy policies.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README describes automatic local caching of search results for one hour but does not clearly warn that cached queries and returned content may persist on disk in `.cache/`. In shared machines, CI environments, or multi-user agent deployments, this can expose sensitive prompts, URLs, research topics, or retrieved content to later users or processes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill routes user queries to multiple external search providers, but the user-facing description does not clearly warn that query contents may be transmitted to third parties. Users may unknowingly submit sensitive prompts, internal project names, credentials, or personal data to outside services, creating a privacy and compliance risk.

Vague Triggers

High

Confidence: 86% confidence
Finding: The trigger phrases "search", "find", "look up", and "research" are extremely broad and likely to match normal conversation, causing the skill to activate unexpectedly. In an agent ecosystem, that can route benign user prompts into external web-search behavior, increasing the chance of unintended data disclosure, unapproved network access, or invocation hijacking over more appropriate skills.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The cache stores raw queries and full provider result payloads to disk, including metadata such as provider choice and parameters, without any user-facing warning or consent flow. Search queries often contain sensitive research topics, internal URLs, or personal data, so local persistence materially increases privacy and data-exposure risk on shared systems or in backups.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The core function of the skill is to send user queries to external search providers, but there is no explicit warning that prompts, URLs, filters, and sometimes live-crawled content requests are transmitted to third parties. This is a real data-sharing/privacy issue because users may assume a local search abstraction rather than direct disclosure to Serper, Tavily, Exa, Kilo/Perplexity, You.com, or a SearXNG instance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal