ClawHub

Smart Image Search

Security checks across malware telemetry and agentic risk

Overview

This skill does ordinary image searching and downloading, but users should know their search terms are sent to public image search engines.

Install this only if you are comfortable with image search terms being sent to Bing, Baidu, and Sogou, and with selected images being saved locally in a temporary search-image directory. Avoid confidential, personal, medical, workplace, or proprietary queries unless that external search exposure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends raw user search queries to multiple third-party image search engines (Bing, Baidu, and Sogou) via outbound HTTP requests, which can disclose sensitive user intent or personal data embedded in the query. In this skill context, users may search for people, brands, avatars, memes, or other potentially identifying terms, and the code contains no consent check, minimization, warning, or policy gate before transmitting that data externally.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends the user's query directly to Bing as part of a remote HTTP request without any disclosure, consent, or privacy gating. User queries can contain sensitive personal, medical, workplace, or proprietary terms, and transmitting them to third-party search providers can leak data outside the local trust boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits the query to Baidu, a third-party external service, with no user-visible notice or consent flow. This is especially sensitive because search terms may contain private information and cross-border transfer to another provider can raise elevated privacy, compliance, and data-handling concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal