ClawHub

Web Search powered by Aliyun IQS

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Alibaba Cloud IQS web-search helper with expected API-key and query transmission behavior, and no hidden destructive or unrelated actions found.

Install this only if you are comfortable using an Alibaba Cloud IQS API key and sending search queries to Alibaba Cloud. Use a dedicated key with limited quota where possible, avoid putting secrets or internal/private text into queries, and avoid storing the key in shell profile files on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares shell-based execution requirements and example command invocations but does not declare corresponding permissions. This creates a transparency and governance gap: an agent or platform may expose shell execution behavior without users or policy controls clearly understanding that the skill can invoke local commands and external network requests.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger guidance says to use the skill whenever a user needs internet retrieval, which is broad enough to match many generic requests. Overly broad invocation can cause unintended exfiltration of user prompts or sensitive context to a third-party search API, especially if an agent auto-selects tools without explicit user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Although the skill mentions an HTTP API, it does not clearly warn users at the point of use that their search terms are transmitted to an external Alibaba Cloud service. This can lead to privacy and data-handling issues if users or agents submit confidential, regulated, or proprietary information as search queries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal