ClawHub

smartsearch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill, but users should treat searches and the API key as data sent to Cloudsway.

Install only if you trust Cloudsway with your search queries and API usage. Avoid putting secrets, private customer data, or highly sensitive topics into searches, store CLOUDSWAYS_AK carefully, and avoid troubleshooting by echoing the key in shared logs or screenshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises itself for very broad categories like web search, online information lookup, fact checking, and browsing websites without meaningful constraints or safety boundaries. In an agent environment, this can cause over-triggering on routine prompts and send user queries to an external service unnecessarily, increasing privacy and data-handling risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage guidance says to use the skill whenever the user asks about broad research, website information, fact verification, or documentation, which overlaps with many normal assistant tasks. This increases the chance an agent invokes the external search tool by default, exposing user prompts and retrieved content to a third party when it may not be necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API documentation shows queries and authorization data being sent to an external endpoint but does not warn users that their search terms and associated metadata leave the local environment. This is dangerous because users may unknowingly transmit sensitive prompts, research topics, or personal data to a third-party search provider.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The setup instructions tell users to export an API key in an environment variable but provide no guidance on secure handling, shell history exposure, logging risks, or secret scoping. In shared or instrumented environments, this can lead to accidental credential disclosure and unauthorized use of the external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal