Back to skill

Security audit

Private Search

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but it makes broad private-search promises that the package does not appear to implement and handles credentials/configuration in ways users should review first.

Review before installing or relying on this for privacy. The script appears focused on Brave configuration rather than malicious activity, but verify any env file it will modify, protect the stored API key, and independently confirm OpenClaw actually routes searches through the intended provider because the advertised search-routing implementation is not present in the package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises shell-based setup (`bash scripts/setup-brave-search.sh`) and the analyzer detected shell capability, but the metadata declares no corresponding permissions or explicit capability boundaries. This is dangerous because users may run local shell commands that collect secrets, modify config files, or make network calls without clear disclosure or permission gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially overclaims what the skill actually implements: it promises general private search routing across multiple engines and configurable privacy features, but appears to only perform Brave-focused setup, key collection, config writes, and key validation. This mismatch is dangerous because users may trust privacy and routing guarantees that are not actually enforced, leading to unintended data disclosure to external services and unsafe secret-handling behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The page markets the skill as privacy-preserving while simultaneously soliciting email addresses for follow-up marketing, creating a material mismatch between the privacy claims and actual data-collection behavior. Even though the demo code only logs locally, the surrounding UI and messaging indicate lead capture, which can mislead users into sharing personal data under stronger privacy expectations than are actually disclosed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline comment explicitly states that production behavior would send captured email addresses to third-party mailing-list providers such as ConvertKit or Mailchimp. This directly undermines the page's privacy-focused messaging and creates risk of undisclosed third-party data sharing, especially if users are induced by claims about avoiding ad networks and tracking.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The script echoes the first 8 characters of an existing or newly entered Brave API key back to the terminal. Even partial credential disclosure increases exposure through terminal scrollback, screen sharing, logs, or shoulder surfing, and setup scripts generally should avoid printing secrets at all.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
On API test failure, the script prints the full HTTP response body to the terminal. Error responses can contain account metadata, diagnostic details, or echoed request context that needlessly broadens sensitive exposure beyond what is required for setup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The email signup form collects personal information without a visible notice that the address may be transferred to an external mailing-list service. In the context of a privacy-themed landing page, omission of that warning is more likely to mislead users and may create compliance and trust risks around consent and transparency.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
A placeholder privacy-policy link gives users the appearance of a disclosure mechanism without actually providing one. This is particularly problematic on a page soliciting email addresses while promoting privacy, because users cannot review how their data will be processed before submitting it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores the Brave API key in plaintext in `$HOME/.openclaw/.env` or `$HOME/.env` without checking or setting restrictive file permissions, and without warning the user. Plaintext secret storage in common environment files increases the risk of accidental disclosure to other local users, backup systems, tooling, or later shell/config inspection.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.