ClawHub
Back to skill

Security audit

豆包WebSearch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed web-search integration that sends a user query and its own Redfox API key to the Redfox Doubao search service, with no evidence of hidden persistence, broad data access, or destructive behavior.

Install only if you are comfortable sending search queries to Redfox/Doubao and using a REDFOX_API_KEY for authentication. Avoid submitting secrets, personal data, or confidential business content as search queries, and prefer explicit invocations so routine local questions are not sent externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'headers' from os.environ.get (line 47, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# ── Step 1: 提交搜索 ──────────────────────────────────────────────
    try:
        submit_resp = requests.post(
            f"{API_BASE}/submit",
            json={"inquiry_text": query, "source": source},
            headers=headers,
Confidence
90% confidence
Finding
submit_resp = requests.post( f"{API_BASE}/submit", json={"inquiry_text": query, "source": source}, headers=headers, timeout=30, )

Tainted flow: 'headers' from os.environ.get (line 47, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
time.sleep(POLL_INTERVAL)

        try:
            result_resp = requests.post(
                f"{API_BASE}/result",
                json={"taskId": task_id},
                headers=headers,
Confidence
90% confidence
Finding
result_resp = requests.post( f"{API_BASE}/result", json={"taskId": task_id}, headers=headers, timeout=30, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes a Python script that uses environment variables and external network access, but the skill metadata does not declare those capabilities. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can access, and policy engines may fail to apply appropriate restrictions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include broad terms such as '联网搜索' and 'AI搜索', which are likely to overlap with many ordinary user requests. This can cause unintended activation of the skill, leading to unnecessary transmission of user queries to a third-party service and reducing user control over when external search is used.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description explains functionality but does not clearly warn users that their search queries are sent to the external Redfox API service to access Doubao search. This is a privacy and consent issue because user-provided content may contain sensitive data and will leave the local agent boundary without explicit notice.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
import requests

API_BASE = "https://redfox.hk/story/api/doubaoSearch"
API_KEY = os.environ.get("REDFOX_API_KEY")
MAX_ATTEMPTS = 60  # 最多轮询 5 分钟
POLL_INTERVAL = 5  # 轮询间隔(秒)
Confidence
70% confidence
Finding
os.environ.get("REDFOX_API_KEY

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal