ClawHub

02 联网搜索

Security checks across malware telemetry and agentic risk

Overview

This is a normal web-search skill that sends user queries to search providers and stores a disclosed local cache, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you are comfortable with search queries being sent to external search providers and cached locally at ~/.ai_search_cache.db. Avoid searching for secrets, credentials, private customer data, or other sensitive text. In managed environments, consider pinning dependency versions and clearing or disabling the cache if search history retention is not acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes outbound network access and shell-capable guidance. This creates a transparency and consent problem: hosts or users may approve the skill under a lower-risk assumption, even though it can reach external services and includes shell commands in troubleshooting.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented purpose understates important behaviors such as persistent local caching of queries/results and an interactive command-line workflow. These undocumented behaviors matter for privacy, data retention, and execution surface, so the mismatch can mislead reviewers and users about what data is stored and how the skill operates.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill persists user search queries and results to a SQLite database in the user's home directory, even though it is presented as a 'safe' web search tool and does not clearly disclose this behavior. Search history can contain sensitive prompts, research topics, credentials accidentally pasted into queries, or other private data, creating a local privacy and data-retention risk if the host is shared, backed up, or later accessed by another process or user.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The code declares an allowlist of approved search-engine domains, but the implemented URL validation only checks that the scheme is HTTP or HTTPS and never enforces the documented domain restriction. This mismatch weakens the trust boundary: the tool may return or accept links from arbitrary hosts, undermining the stated safety guarantees and potentially exposing downstream users or components to malicious or deceptive URLs.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**解决**:
```python
# 清除缓存
rm ~/.ai_search_cache.db
```

### 问题3:搜索结果不相关
Confidence
94% confidence
Finding
rm ~/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal