Local Web Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real web-search skill, but it needs review because its “local/private” framing is broader than its actual network, credential, and anti-bot behavior.

Install only if you are comfortable configuring and trusting the network endpoints it uses. Set LOCAL_SEARCH_URL to a SearXNG instance you control, leave LOCAL_SEARCH_FALLBACK_URL and BROWSER_WORKER_URL unset unless you intentionally trust those services, avoid sensitive searches through unknown proxies, and enable Gemini or 1Password access only with a scoped API key for that purpose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Tainted flow: 'req' from os.environ.get (line 255, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: request_timeout = max(timeout + 10, timeout * 3) if mode in ("auto", "stealth", "dynamic"): request_timeout = max(request_timeout, 75) with urllib.request.urlopen(req, timeout=request_timeout) as resp: body = json.loads(resp.read().decode("utf-8")) content = body.get("text") or "" return {
Confidence: 82% confidence
Finding: with urllib.request.urlopen(req, timeout=request_timeout) as resp:

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill includes a 1Password-based secret retrieval workflow and encourages sourcing a local secrets file, which extends the skill from web search into credential access. Even if intended only for Gemini API authentication, this creates a pathway for an agent using the skill to access sensitive secret material and broadens the blast radius far beyond normal search functionality.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation claims the skill is '100% free and private,' but the implementation can send queries to a configured public fallback endpoint and route traffic through detected proxies. This mismatch is security-relevant because users or upstream agents may make trust decisions based on the privacy claim and unknowingly exfiltrate sensitive search terms to third parties.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The security manifest states that only the search query string is sent externally, but the curl path also transmits a spoofed Google Referer and X-Real-IP header. Inaccurate disclosure of outbound metadata is dangerous because it undermines informed consent, may violate network policy expectations, and can create traceability or deception concerns when traffic reaches external services.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to retry page access in a "stealth" mode when a site is JS-heavy or protected by anti-bot measures, but it provides no guardrails, consent checks, or policy limits. That normalizes bypassing publisher protections and could cause the agent to access content in ways the site operator did not intend, increasing legal, compliance, and abuse risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal