Back to skill

Security audit

WebSearch-Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web-search helper for a self-hosted SearXNG instance, with expected network access and a few setup cautions but no evidence of hidden or destructive behavior.

Install this if you want a SearXNG-backed web search skill. Review install.sh before running it because it can modify your shell PATH, configure SEARXNG_URL to a service you trust, prefer HTTPS for remote endpoints, and treat fetched webpage text as untrusted evidence rather than instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough that many ordinary information requests could invoke this skill automatically, causing unnecessary web access and shell/script execution. In an agent setting, overbroad routing can bypass user expectations about when external services are contacted and can expand the attack surface for prompt-driven tool misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer appends a PATH modification to ~/.bashrc and ~/.zshrc automatically, changing the user's shell startup behavior without an explicit confirmation step. While common in developer tooling, persistence changes to shell RC files can have lasting security and usability effects, especially if the installed shims later get replaced or the skill directory is moved.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script fetches arbitrary remote URLs returned by search results and prints their contents directly, which can cause unexpected external network access and expose users or downstream systems to untrusted content. In an agent context, this is more dangerous because the tool may retrieve attacker-controlled pages, internal URLs surfaced by a compromised search backend, or content containing prompt-injection text that could influence later processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user search queries to a remote SearXNG instance without any disclosure, consent prompt, or trust boundary warning. Because the default URL is http://localhost:8080 and the endpoint can be overridden, queries may traverse an unencrypted or untrusted service, exposing potentially sensitive research terms to interception, logging, or a malicious search backend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.