ClawHub

Web Search Plus

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-search plugin that sends searches and URLs to configured search providers, with some privacy and credential-storage precautions users should understand.

Install only if you are comfortable sending search queries and URLs to the configured providers. Avoid using research mode or URL extraction with confidential prompts, internal URLs, or proprietary targets unless those providers are approved for that data. If you use the setup CLI, keep the generated JSON config out of source control and restrict access to it because it may contain plaintext API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents research mode sending a user's query to multiple providers concurrently and extracting selected URLs, but it does not clearly warn that prompts, search terms, and fetched URLs may be transmitted to third-party services. In a web-search plugin, this creates a real privacy and data-governance risk because sensitive user input can be fanned out to several external vendors in one operation, increasing exposure and compliance impact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow prompts users to paste provider API keys and then persists them to a JSON file on disk in cleartext, without any warning, permission hardening, or guidance about secure storage. If the working directory is shared, backed up, committed to source control, or readable by other local users/processes, those credentials can be exposed and abused to access third-party search providers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin sends user queries and supplied URLs to many third-party services for search and extraction, including auto-routing and research mode that may contact multiple providers for a single request. In an agent setting, this can disclose sensitive prompts, internal URLs, or proprietary targets without an explicit user-facing consent or disclosure boundary in the tool itself.

VirusTotal

55/55 vendors flagged this plugin as clean.

View on VirusTotal