ClawHub

Websearch

Security checks across malware telemetry and agentic risk

Overview

This is a small web-search documentation skill whose external web providers are purpose-aligned and named, with no executable payload in the submitted artifact.

Installers should treat this version as documentation/sample material, not a complete runnable tool. Do not submit private intranet URLs, tokenized links, secrets, customer data, or confidential search terms unless you are comfortable sharing them with the named external providers. Re-review any future version that adds executable scripts or package files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to provide URLs and search keywords to scripts that call third-party services (Jina Reader and Exa), but it does not clearly disclose that those inputs will be transmitted off-host. This creates a privacy and data-handling risk because users may supply sensitive URLs, internal links, or confidential search terms without understanding they will be sent to external providers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises URL content extraction but does not warn users that requested URLs are fetched through the external Jina Reader service (`https://r.jina.ai/`). This can expose sensitive or internal URLs, query parameters, or user-supplied targets to a third party, creating privacy, data handling, and possible SSRF-adjacent risk if operators assume retrieval is local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal