ClawHub

Metaso Search

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent Metaso search helper, with the main issue being weak documentation around API-key storage rather than evidence of hidden or harmful behavior.

Before installing, treat any Metaso API key as sensitive: prefer an environment variable or secret manager, avoid committing or syncing plaintext key files, and rotate the key if it may have been exposed. The skill should remain user-directed for search use, and there is no artifact-backed evidence here of hidden execution or data exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to store an API key in a plaintext local document, which increases the likelihood of credential exposure through backups, sync tools, accidental sharing, malware, or source control inclusion. While this is documentation rather than executable code, normalizing insecure secret handling can directly lead to account misuse and unauthorized API consumption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly recommends storing the API key in a plaintext local file (`secrets/key存储文档.txt`) without warning about access controls, encryption, or accidental disclosure. This increases the likelihood of credential leakage through source control, backups, logs, shared folders, or other local compromise, which could allow unauthorized use of the external API.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal