ClawHub

秘塔搜索

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Metaso web-search helper that sends user searches to Metaso with an API key and shows no hidden or destructive behavior.

Install only if you are comfortable sending search queries and selected options to Metaso using a METASO_API_KEY from your environment. Do not search for secrets, private internal URLs, regulated data, or confidential proprietary text unless that use is approved, and ensure the Python requests package comes from a trusted environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata declares runtime requirements for an API key and implies Python/network usage, but it does not declare permissions to access environment variables or the network. This creates a transparency and governance gap: users and tooling may not realize the skill can read secrets and transmit data externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description says the skill performs web search, but it does not clearly warn that user queries and optional raw-content retrieval are sent to a third-party service. This can lead users to submit sensitive prompts or enable includeRawContent/includeSummary without understanding that external processing and content fetching will occur.

External Transmission

Medium
Category
Data Exfiltration
Content
## Request Example

```bash
curl --location 'https://metaso.cn/api/v1/search' \
--header 'Authorization: Bearer YOUR_API_KEY' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
Confidence
90% confidence
Finding
curl --location 'https://metaso.cn/api/v1/search' \ --header 'Authorization: Bearer YOUR_API_KEY' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal