ClawHub

AI Search by Desearch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Desearch API search helper; the main risk is that searches and an API key are used with an external service.

Install only if you are comfortable sending search queries to Desearch and using a Desearch API key. Avoid putting passwords, tokens, private documents, or confidential business information into queries, and monitor any paid quota or balance tied to the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description encourages users to submit arbitrary search queries but does not warn that those queries are sent to a third-party service and may involve social-platform sources such as X/Twitter and Reddit. This creates a privacy and data-handling risk because users may unknowingly transmit sensitive prompts, internal research topics, or personal data to an external provider and associated indexed sources.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI sends the user's query to a third-party service at api.desearch.ai, but there is no explicit user-facing disclosure at execution time that the entered query will leave the local environment. This is a real privacy/security concern because users may enter sensitive internal terms, credentials, or proprietary text under the assumption the tool is performing a local search, and the skill context specifically encourages broad internet/social aggregation, increasing the chance of external transmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal