ClawHub

Curated Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local documentation search tool with an optional user-run crawler for whitelisted public sites.

Review config.yaml before running npm run crawl because it will contact the listed public sites and store an index locally. Keep dependencies updated, use lockfile-based installs where appropriate, and only enable the cron/systemd examples if you want scheduled refreshes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented primarily as a local, domain-restricted search tool, but the documented behavior also includes a crawler, outbound HTTP fetches, content transformation, local file writes, and package publishing support. This mismatch can mislead users and security reviewers into underestimating network, file-system, and supply-chain exposure, increasing the chance of unsafe installation or execution in restricted environments. The context makes this somewhat less dangerous because crawling is described as optional and whitelist-scoped, but the undisclosed breadth of behavior is still security-relevant.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The domain guide materially broadens the skill from curated technical documentation into commercial product pages and broad community/reference content, which increases the chance of irrelevant, low-trust, or policy-problematic indexing. In a domain-restricted search skill, scope expansion is dangerous because downstream agents may treat results as authoritative technical documentation even when sourced from noisy or non-curated sites.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The fallback guidance includes anti-blocking tactics, alternate paths, and mirror usage aimed at continuing crawling when sites resist access. Even without explicit exploit code, this normalizes scraping-evasion behavior that can lead to terms-of-service violations, collection from unintended hosts, and operational abuse of third-party services, which is misaligned with a curated documentation search use case.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The manifest states that no environment variables are accessed, but the health check explicitly forwards the entire parent process environment to the spawned search tool via `env: process.env`. Even if this script does not directly read secrets, passing all environment variables to a child process expands the trust boundary and can expose credentials or tokens to `search.js` or any code it invokes, while also making the manifest inaccurate for reviewers.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Registering global SIGINT/SIGTERM handlers and calling process.exit affects the entire host process, not just this skill. In an agent/plugin environment, this allows the component to terminate unrelated workloads or the whole orchestrator during normal operation or on repeated signals, which is far beyond the needs of curated documentation search.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The finalize routine unconditionally calls process.exit(0) after crawl completion, which forcibly terminates the entire Node.js process. In a shared runtime this becomes a denial-of-service primitive: simply invoking the crawler to completion can kill the host agent, other skills, and in-flight tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal