ClawHub

UnSearch

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only UnSearch API integration whose network use is expected for web search and research, but users should avoid sending sensitive data unless they trust the provider.

Install this only if you intend to use UnSearch as a third-party search and research provider. Treat search terms, claims, URLs, and extraction requests as data sent to UnSearch; do not submit secrets, regulated data, internal-only URLs, pre-signed links, or confidential business prompts unless your policy allows it. Store UNSEARCH_API_KEY securely and rotate it if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (16)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes web search, scraping, content extraction, and deep research through an external UnSearch API but does not clearly disclose that user prompts, search queries, and supplied URLs will be transmitted off-host and may trigger network fetches to third-party sites. This can lead users or downstream agents to send sensitive data or internal URLs externally without informed consent, increasing privacy, data exfiltration, and SSRF-like risk in environments where agents can access non-public resources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill clearly sends user queries, URLs, and potentially extracted page content to the external UnSearch service, but the description does not disclose that data leaves the local environment. This creates a real transparency and privacy risk because users may provide sensitive prompts or URLs without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
Search the web with optional content scraping.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
curl -X POST "https://api.unsearch.dev/api/v1/search" \ -H "X-API-Key: $UNSEARCH_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
AI-optimized search with optional answer generation.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/agent/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
curl -X POST "https://api.unsearch.dev/api/v1/agent/search" \ -H "X-API-Key: $UNSEARCH_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Extract content from specific URLs.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/agent/extract" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
97% confidence
Finding
curl -X POST "https://api.unsearch.dev/api/v1/agent/extract" \ -H "X-API-Key: $UNSEARCH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "urls": ["https://example.com/article"], "e

External Transmission

Medium
Category
Data Exfiltration
Content
Verify claims against multiple sources.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/verify/claim" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -X POST "https://api.unsearch.dev/api/v1/verify/claim" \ -H "X-API-Key: $UNSEARCH_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
For sensitive queries, enable zero-retention:

```bash
curl -X POST "https://api.unsearch.dev/api/v1/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "X-Zero-Retention: true" \
  -H "Content-Type: application/json" \
Confidence
90% confidence
Finding
curl -X POST "https://api.unsearch.dev/api/v1/search" \ -H "X-API-Key: $UNSEARCH_API_KEY" \ -H "X-Zero-Retention: true" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## API Endpoints

**Base URL:** `https://api.unsearch.dev/api/v1`

All requests require header: `X-API-Key: $UNSEARCH_API_KEY`
Confidence
94% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
Search the web with optional content scraping.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
AI-optimized search with optional answer generation.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/agent/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
Extract content from specific URLs.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/agent/extract" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
97% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
Multi-source research with AI synthesis.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/agent/research" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
Verify claims against multiple sources.

```bash
curl -X POST "https://api.unsearch.dev/api/v1/verify/claim" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
import os

API_KEY = os.environ["UNSEARCH_API_KEY"]
BASE_URL = "https://api.unsearch.dev/api/v1"

async def search(query: str, scrape: bool = False):
    async with httpx.AsyncClient() as client:
Confidence
95% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
```javascript
const API_KEY = process.env.UNSEARCH_API_KEY;
const BASE_URL = "https://api.unsearch.dev/api/v1";

async function search(query, scrapeContent = false) {
  const response = await fetch(`${BASE_URL}/search`, {
Confidence
95% confidence
Finding
https://api.unsearch.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
For sensitive queries, enable zero-retention:

```bash
curl -X POST "https://api.unsearch.dev/api/v1/search" \
  -H "X-API-Key: $UNSEARCH_API_KEY" \
  -H "X-Zero-Retention: true" \
  -H "Content-Type: application/json" \
Confidence
90% confidence
Finding
https://api.unsearch.dev/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal