Web Claude

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed web-search helper with local caching and optional logged-in Claude.ai browser fallback, but the reviewed artifacts do not show hidden, destructive, or deceptive behavior.

Install this only if you are comfortable with searches being sent to Brave, DuckDuckGo, or Claude.ai and with search records being saved locally in memory/research/. Avoid sensitive queries unless you force the provider you trust and periodically review or delete cached research files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that all search results are automatically saved to `memory/research/`, but it does not prominently warn users that sensitive queries, research topics, and extracted insights may persist on disk. This creates a real privacy and data-handling risk because searches may contain confidential business intent, personal data, or regulated topics that become accessible to other tools, users, or future sessions.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal