Back to skill

Security audit

Deep Research Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web-research skill that searches public sources, fetches pages, and saves reports locally, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you want an agent to send research queries to DuckDuckGo, fetch selected third-party pages, and write reports under ~/clawd/research. For sensitive or regulated topics, ask the agent to keep results in chat only or avoid external web fetching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README frames the skill as something an agent will automatically use for generic prompts like 'research something' or 'deep dive', without clear constraints, approval boundaries, or scoping guidance. In an agent ecosystem, overly broad activation language can cause the skill to run on routine user requests and trigger unintended web access, content retrieval, and downstream actions such as saving outputs, increasing the chance of privacy, policy, or cost-impacting behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises full-page fetching and saving results to files, but does not warn users that prompts, generated queries, fetched URLs, and saved reports may expose sensitive topics or persist potentially sensitive data locally. In a research skill, these capabilities are core features, but without disclosure and safe-use guidance they create a real risk of unintentional data exposure or side effects when used by autonomous agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create directories and save reports to disk automatically, but it does not require explicit user consent or provide a warning that persistent files will be created. This can lead to unexpected data retention, storage of sensitive user prompts or research topics, and accidental persistence of regulated or confidential information on the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.