ClawHub

Cn Web Search 2.2.0

Security checks across malware telemetry and agentic risk

Overview

This is a search helper that sends user queries to public search engines, with no evidence of hidden code, credential access, persistence, or destructive behavior.

Install only if you are comfortable with the agent sending your search terms to public search engines and content sites. Avoid entering secrets, confidential business information, private personal details, or sensitive research topics as queries. The stale README/package metadata is worth noting, but the reviewed artifacts do not show malicious or suspicious behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README shows very broad natural-language invocations such as '搜一下…' without clear activation boundaries, which can cause accidental or overly permissive triggering by an agent. In a search skill that reaches many external sites, ambiguous activation increases the chance of unintended web access, privacy leakage in queries, and prompt-routing mistakes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly encourages sending user-supplied search queries to multiple third-party websites through `web_fetch`, but it does not disclose that those queries will be transmitted to external services. Search terms can contain sensitive data such as company plans, health issues, credentials, or internal research topics, and broadcasting them to many providers increases privacy and data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal