ClawHub

Web Search Plus

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent web-search skill, but it should be reviewed because broad auto-triggers, third-party query transmission, and default local query caching create privacy and control risks.

Review before installing in shared, corporate, or sensitive environments. Use it only when you are comfortable sending search terms and URLs to the selected providers, avoid putting secrets in queries, consider `--no-cache` or clearing `.cache/`, and do not run `test-auto-routing.sh` against an untrusted `.env` file.

SkillSpector (9)

By NVIDIA

Tainted flow: 'req' from input (line 257, user input) → urllib.request.urlopen (network output)

Medium
Category
Data Flow
Content
headers={"User-Agent": "ClawdBot-WebSearchPlus/2.5", "Accept": "application/json"}
            )

            with urllib.request.urlopen(req, timeout=10) as response:
                data = response.read().decode("utf-8")
                import json
                result = json.loads(data)
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and instructs use of scripts that read environment variables, access local files such as .env/config files, write runtime configuration, and make outbound network requests, but the skill file does not declare corresponding permissions. This creates a trust and review gap: a host may present the skill as low-privilege while it can actually handle secrets and perform external communications, increasing the risk of secret exposure, unintended file modification, or data exfiltration through search/extraction providers.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The FAQ explicitly describes local caching of search results in `.cache/` but does not warn that user queries and associated metadata may be written to disk, which can expose sensitive prompts, internal research topics, or operational data to other local users, backups, or forensic collection. In a search skill, queries often contain confidential business terms, investigative targets, or personal data, so undocumented persistence increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises unified web search and URL extraction across many external providers but does not clearly disclose that user queries and submitted URLs may be transmitted to third-party services. In an agent setting, prompts, search terms, and URLs can contain sensitive internal data, so missing disclosure increases the risk of unintended data exfiltration and unsafe use in privacy-sensitive environments.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases "search", "find", "look up", and "research" are extremely generic and are likely to match ordinary user requests unrelated to this specific skill. In an agent ecosystem, that can cause the skill to activate too often, intercept broad classes of prompts, and unnecessarily gain access to web-search or extraction workflows, increasing the chance of unintended data flow or tool invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script caches full search queries and associated metadata to disk by default, including potentially sensitive user prompts, domains, and provider choices, without clear user disclosure or explicit opt-in. On shared systems or agent hosts, this can expose private research topics, credentials accidentally pasted into queries, or other confidential activity to other local users or later processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script executes a local .env file with `source`, which treats the file as shell code rather than as passive configuration. If the .env file is modified by an attacker or contains unexpected shell syntax, arbitrary commands can run when the test script is started, potentially exposing secrets or compromising the developer environment.

Credential Access

High
Category
Privilege Escalation
Content
# Tests various query types to verify routing works correctly

# Load from environment or .env file
if [ -f .env ]; then
  source .env
fi
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Load from environment or .env file
if [ -f .env ]; then
  source .env
fi

# Check required keys
Confidence
99% confidence
Finding
.env

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal