ClawHub
Back to skill

Security audit

AIDSO 虾搜 GEO

Security checks across malware telemetry and agentic risk

Overview

The skill matches its AIDSO GEO purpose, but users should review it because it stores and transmits API keys and can persistently write brand data with limited safeguards.

Install only if you trust AIDSO with your API key and brand data. Use a scoped or revocable API key if available, protect or delete the generated .env file when no longer needed, do not set GEO_API_BASE_URL unless you intentionally trust that endpoint, and review knowledge-base additions carefully because they may persist remotely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'headers' from os.getenv (line 119, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}

    try:
        response = requests.post(
            BIND_URL,
            headers=headers,
            data=json.dumps(payload, ensure_ascii=False).encode("utf-8"),
Confidence
95% confidence
Finding
response = requests.post( BIND_URL, headers=headers, data=json.dumps(payload, ensure_ascii=False).encode("utf-8"), timeout=30, )

Tainted flow: 'API_URL' from os.environ.get (line 48, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json; charset=utf-8",
    }

    resp = requests.post(
        API_URL,
        headers=headers,
        data=json.dumps(payload, ensure_ascii=False).encode("utf-8"),
Confidence
96% confidence
Finding
resp = requests.post( API_URL, headers=headers, data=json.dumps(payload, ensure_ascii=False).encode("utf-8"), timeout=120, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read environment variables, read and write files (including creating a local .env), and make network-backed API calls, yet it does not declare any permissions. This creates a transparency and least-privilege problem: users and the hosting platform cannot accurately assess or constrain sensitive capabilities such as secret handling and filesystem writes.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The problem-mining trigger phrases are broad enough that ordinary user requests could accidentally invoke a chargeable or stateful workflow. In this skill's context, that is more concerning because the workflow can consume API-backed resources, create background task state, and lead users into billing/credit-confirmation flows they did not intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI accepts an API key and immediately sends it to a third-party service for validation without an explicit warning, confirmation, or dry-run mode. This is risky because users may assume the key is only stored locally in `.env`, while the tool actually discloses it to a remote service.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The tool transmits user-supplied brand names and question content to an external third-party API without an explicit disclosure or consent step at the point of use. In an agent/skill context, users may assume local processing, so silent transmission can cause unintended data exposure, especially if questions contain sensitive commercial or customer information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persists the supplied API key into a local .env file, but the user is not clearly warned that the credential will be stored on disk for future reuse. In shared agent environments, local credential persistence increases the chance of accidental disclosure to other skills, users, backups, logs, or filesystem readers.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal