ClawHub

26 Multi Search Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only search helper that sends user-chosen queries to public search engines and does not install code, request credentials, or persist data.

Install only if you are comfortable sending search terms to the listed search engines. Do not include passwords, tokens, private URLs, confidential project names, regulated data, or other sensitive information in queries; keep searches user-directed, especially when using advanced operators.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to send arbitrary search queries to multiple third-party search engines, but it provides no privacy warning that those terms will be transmitted to external services and may be logged, profiled, or linked to the user. This is especially relevant because search queries often contain sensitive research topics, internal project names, credentials by mistake, or other confidential data, and the skill normalizes broad web querying across many providers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document repeatedly instructs use of `web_fetch` against third-party search engines and knowledge services, but does not warn that user queries, metadata, and potentially sensitive research terms will be transmitted to external providers. In an agent skill context, examples are often copied into live workflows, so omission of privacy and data-sharing caveats can lead to unintentional disclosure of sensitive prompts, internal topics, or user interests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal