search1

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it runs a user-invoked Tavily web search using the user's Tavily API key.

Install only if you are comfortable sending search queries to Tavily under your Tavily API key. Avoid entering secrets or sensitive personal data in search queries, and verify the package metadata if strict provenance matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description and usage text do not warn that search queries and related request data are transmitted to the external Tavily API. Users may supply sensitive prompts, identifiers, or investigative terms under the assumption that the action is local, resulting in unintended disclosure to a third party.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: User search queries and the API credential are transmitted to a third-party provider, but the code provides no user-facing disclosure, consent mechanism, or warning about external data handling. In an agent setting, users may supply sensitive prompts or proprietary data, so undisclosed transmission creates a real privacy and compliance risk even if the functionality is intended.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal