ClawHub

Cms Search

Security checks across malware telemetry and agentic risk

Overview

This search skill does only perform web search, but it tries to route all internet lookups through its own CMS service and requires an environment credential despite incomplete install metadata disclosure.

Install only if you intend all matching search requests to go through this CMS provider and you control a dedicated CMS_USER_KEY for it. Treat the broad 'must use this skill only' instructions as a review concern: users or administrators should narrow when the skill is invoked, allow alternative trusted search tools, and confirm what data and credential scope the CMS service receives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill's manifest describes simple web search, but the code requires and uses a credential-like environment variable for authenticated access to a third-party service. This hidden capability reduces transparency and can mislead operators about trust boundaries, data flows, and deployment requirements.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger conditions are extremely broad, covering common phrases like '搜索', '查一下', '帮我找', and effectively any request that might benefit from internet access. Combined with the instruction that this skill 'must and only' be used instead of built-in search/browser tools, this can hijack a wide range of unrelated user requests and force traffic through an untrusted external pathway, increasing prompt-injection, data-handling, and tool-substitution risk.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The description mandates use of this skill for Chinese-language search-related intents without any user opt-in and prohibits alternative search tools. While this is not a direct code-execution issue, it can override normal tool-selection behavior and reduce user control, especially in multilingual settings where the user may prefer another locale, provider, or safer built-in mechanism.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits a sensitive credential from the environment in a request header to an external service without any user-facing disclosure or consent mechanism. In a skill that performs network search, this increases risk because operators may unknowingly expose an internal credential to a remote backend whenever the skill is invoked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal