ClawHub

Perplexity Hardened

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Perplexity search helper that sends requested search terms to Perplexity using the user's API key, with no hidden persistence or unrelated data access found.

Install only if you are comfortable sending your search terms to Perplexity with your PERPLEXITY_API_KEY. Do not put secrets, private file contents, customer data, credentials, or other sensitive values into search queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends the user's query data to https://api.perplexity.ai/search, which is a network operation that transmits user input off-system. The script includes no confirmation prompt or user-facing warning about this transmission beyond a usage example, so users may not realize their queries are being sent to a third-party service.

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function search(queries) {
  const response = await fetch("https://api.perplexity.ai/search", {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${apiKey}`,
Confidence
60% confidence
Finding
fetch("https://api.perplexity.ai/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
}

async function search(queries) {
  const response = await fetch("https://api.perplexity.ai/search", {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${apiKey}`,
Confidence
50% confidence
Finding
https://api.perplexity.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal