ClawHub

Openclaw Web Search Mcp

Security checks across malware telemetry and agentic risk

Overview

This web research skill matches its stated purpose, but one transcript tool can pass a user-supplied URL into a local shell command.

Review before installing. Use only with trusted inputs, avoid internal or sensitive URLs, and do not pass secrets in search queries or web content. The publisher should replace the shell command with argument-array execution or a safer transcript library, validate/allowlist URLs, add request limits, and document what data is sent to external sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code constructs a shell command with untrusted input (`url`) interpolated directly into `execSync(...)`. Because this uses a shell, a crafted URL containing shell metacharacters or command substitution can break out of quoting and execute arbitrary OS commands with the privileges of the running process.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The skill constructs and executes a shell command using a URL variable, which creates unnecessary subprocess execution capability for a task that could be handled with a safer API/library interface. If the URL is ever user-controlled and not strictly validated/escaped, this can become command injection; even without injection, it expands the attack surface by allowing external binary execution and network access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill clearly performs external network operations including Google searches, webpage retrieval, PDF fetching, YouTube transcript access, and automated research, but the description does not warn users that prompts or retrieved content may be sent to third-party services or arbitrary URLs. In an agent setting, that omission can lead users to unknowingly authorize data exposure, interaction with untrusted content, and outbound requests that may have privacy, compliance, or SSRF-like implications depending on deployment context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function performs a server-side fetch to an arbitrary caller-supplied URL with no validation, allowlisting, or user disclosure. This creates SSRF-style risk because an attacker could cause requests to internal services, cloud metadata endpoints, or other unintended network targets, and the fetched content is then parsed and returned.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This link extraction helper also issues a server-side request to an arbitrary URL without validation or warning. That exposes the same SSRF and unintended network access concerns, and could be abused to scan reachable internal endpoints or access sensitive resources from the environment where the skill runs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function performs a server-side fetch of an attacker-controlled URL with no validation, allowlist, or restriction on destination. This creates an SSRF primitive and can also expose the service to denial-of-service risks by downloading large files or parsing malicious PDFs, especially because the code immediately processes the retrieved content.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill writes subtitle data to a local file path in the workspace without any evident disclosure, consent, or controls around storage lifecycle. Persisting fetched content on disk can leak user activity, accumulate sensitive data, or expose artifacts to other components/users if permissions and cleanup are not handled properly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal