ClawHub

zoomeye-skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ZoomEye search integration, but users should treat its queries as external, account-linked reconnaissance activity.

Install only if you are comfortable providing a ZoomEye API key and sending search terms to ZoomEye. Use a dedicated or revocable key, monitor quota usage, and limit searches to assets or investigations you are authorized to assess.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill uses sensitive capabilities: it requires an environment secret (ZOOMEYE_API_KEY) and sends data over the network to an external service, but it does not declare permissions explicitly. This weakens platform governance and user awareness, making it easier for the skill to access credentials and exfiltrate investigation queries without a clear permission boundary.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough that the skill may activate for general 'security assessment,' asset mapping, or threat-intelligence requests without clear scope checks. In a security tool that can query external reconnaissance data, overly broad activation increases the chance of unintended use, unnecessary credential exposure, and sending sensitive indicators to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not warn that user-provided queries are transmitted to ZoomEye, an external service, which may reveal targets, indicators, investigation subjects, or internal hypotheses. In threat hunting and security investigations, even search terms can be sensitive, so failing to disclose this data flow creates privacy, operational security, and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference section provides explicit reconnaissance and exposure-discovery queries for databases, admin panels, IoT devices, and known vulnerable technologies, but it does so without any warning about authorization, lawful use, privacy considerations, or abuse prevention. In the context of an agent skill integrated with a network search engine, this materially lowers the barrier to misuse by enabling rapid targeting and enumeration of potentially exposed systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal