Dandan Multi Search

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only multi-search helper that sends user queries to public search engines but does not include hidden code, persistence, credentials, or local data access.

Use this for ordinary web searches. Avoid submitting confidential, private, or account-specific text unless you are comfortable sharing it with the chosen search engine, and prefer a privacy-focused engine for sensitive topics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill description says it should trigger for broad requests like '当用户要求搜索、多引擎搜索、聚合搜索、隐私搜索、或需要全面信息检索时触发', which overlaps with many normal user intents and can cause the skill to activate when the user did not explicitly request this tool. Over-broad triggering can lead to unintended web access, privacy leakage of user queries to third-party search engines, and tool-selection hijacking away from safer or more appropriate skills.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The listed trigger examples include ambiguous everyday phrases such as '帮我查一下' and broad conditions like '需要全面信息检索时', which are not sufficiently scoped to web-search-specific intent. In an agent environment, these phrases can spuriously invoke the skill for routine assistance requests, causing unnecessary external requests and exposing user content to search providers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal