博查搜索

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Bocha web search skill that uses a user-provided API key and sends search terms to Bocha’s API.

Install only if you are comfortable sending search terms to Bocha and using a Bocha API key or account quota. Avoid searching for secrets, private internal identifiers, regulated data, or sensitive personal information unless Bocha’s data handling terms are acceptable for your use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill clearly sends user-provided search queries to an external third-party API, but the description does not warn users that their prompts or search terms leave the local environment. This creates a privacy/transparency risk because users may submit sensitive terms without realizing they are being disclosed to Bocha Search.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the user-provided search query to a third-party service but does not clearly disclose that transmission in its CLI help or runtime output. In an agent-skill context, users or downstream systems may assume the search is local, causing accidental disclosure of sensitive prompts, identifiers, or proprietary data to an external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal