ClawHub
Back to skill

Security audit

ProFind

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ProFind automation skill, but it should be used carefully because it can expose or change local file information when the user enables those workflows.

Install only if you trust ProFind and are comfortable granting broad file-search access. Keep the Media Server disabled unless needed, review scripts before placing them in ~/Library/Scripts/ProFind, and be especially careful with scripts that rename files, move items to Trash, copy paths, email paths, or query search results over the local API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README presents a file-search skill but also advertises a separate HTTP/SOAP media-server query interface, which expands the skill’s capability surface beyond the stated purpose. Undocumented or weakly justified secondary interfaces increase attack surface and make it easier to access or expose search-result data in ways users may not expect from a local file-search tool.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Exposing a Media Server HTTP API in a skill whose stated purpose is file searching is a scope mismatch that can enable unintended access paths to sensitive search-result metadata. Because the README notes the API reflects recent ProFind UI search results, local data may become programmatically accessible through an additional interface that users may not realize is active.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
A skill marketed as search-only also includes examples for deleting, renaming, and emailing results, which materially expands the trust boundary from discovery to modification and disclosure. In this context, that is risky because users may invoke it expecting non-destructive behavior while embedded scripts can alter data or leak file information.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented Mail and DuckDuckGo script hooks introduce external communication unrelated to core local file search. Even if these are examples, they normalize sending file names or paths outside the system, which can expose sensitive project names, customer data, or filesystem structure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation for a file-search skill exposes built-in script hooks that go beyond passive search and include destructive or side-effecting actions such as moving files to Trash, emailing paths, and invoking external tools. This broadens the capability surface from search to file manipulation and data sharing, which can surprise users and increase the chance of misuse or unsafe automation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The sample scripts demonstrate shell execution, opening external applications, composing email, clipboard writes, and web searches using selected file paths. In the context of a search skill, these examples normalize exfiltration and command execution pathways without clear trust boundaries or safety guidance, making abuse or accidental disclosure more likely.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script queries the macOS TCC database to inspect Full Disk Access, which is a sensitive privacy-permission check outside the narrow scope of copying a skill file. Even though it appears intended to help the user configure ProFind, directly inspecting TCC state increases privacy sensitivity and can normalize access to protected system metadata without strong justification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to grant Full Disk Access but does not clearly warn that this gives the application broad visibility into sensitive files across the system. In the context of an automation skill that can search files, run scripts, and query results programmatically, this significantly increases privacy and misuse risk if the skill or dependent app behaves unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown includes destructive and mutating script actions such as moving files to Trash and batch renaming, but without prominent safety guidance, confirmation requirements, rollback advice, or scoping restrictions. In a skill intended for automation, this increases the chance of accidental bulk data modification or deletion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes emailing file paths and querying media/search data over HTTP without explaining the privacy implications of exposing file names, paths, and metadata. File paths often contain usernames, project names, customer identifiers, or other sensitive context, so omission of privacy warnings is risky.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The batch rename example directly modifies filenames with mv but does not warn that it changes user data, may break references, or can have unintended effects when run on many files. Even though arguments are quoted, the main issue is unsafe documentation posture: it presents a destructive operation as a simple example without caution, preview, or rollback guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The mail example collects selected file paths and inserts them into an email message, potentially exposing sensitive directory structures, usernames, project names, or confidential filenames to the Mail app and recipients. Because the documentation does not clearly warn about this disclosure, users may unintentionally share sensitive metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installer performs sensitive system-permission introspection without an upfront warning before accessing the TCC database. Even if the goal is diagnostic, reading this database is not obvious to users and reduces transparency around what the installer inspects on the host system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal