ClawHub

Smart Web Search

Security checks across malware telemetry and agentic risk

Overview

This web search skill mostly does what it claims, but it also runs package installs during normal use and weakens browser protections while fetching arbitrary pages.

Install only if you are comfortable with this skill sending searches, IP-based region probes, and fetched result URLs to third-party services. Review or remove the runtime npm install behavior before using it in a sensitive environment, and prefer disabling default content fetching for confidential queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script dynamically runs `npm install` via `child_process.execSync` when dependencies are missing. That grants shell execution and allows unreviewed code from the npm registry to be fetched and executed at runtime, which is far beyond a normal fetch/search skill and creates a strong supply-chain and arbitrary-code-execution risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The browser is launched with multiple flags that disable key isolation and protection mechanisms, including web security, site isolation, and sandboxing. In a skill designed for arbitrary web searching and content retrieval, this materially increases the blast radius of a malicious page: cross-origin protections are weakened and a renderer compromise would face fewer containment barriers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill dynamically runs `npm install` at runtime for `cheerio` and `commander`, which executes package-manager logic and arbitrary package lifecycle scripts in the local environment. For a web search tool, this is an unnecessary expansion of trust and creates a supply-chain and arbitrary code execution risk if dependencies are compromised or the registry/path resolution is manipulated.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill launches a non-headless Playwright browser specifically to obtain Bing cookies, then reuses those cookies for subsequent HTTP requests. This exceeds the expected behavior of a simple search utility and increases privacy and capability risks by simulating a real browser session, potentially collecting stateful identifiers and bypassing normal HTTP-only restrictions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises network search, IP/region detection, and multi-site content fetching but does not warn users that queries, IP-derived metadata, and fetched URLs/content will be sent to third-party services. In an agent-skill context, this can cause unintended external data disclosure, especially if users pass sensitive prompts, internal project names, or confidential research terms into the tool.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger keywords are extremely broad terms like '搜索', '新闻', '教程', 'search', and 'find', which are likely to match ordinary user requests unintentionally. In context, this is more dangerous because the skill performs external searches and content fetching, so accidental activation can cause silent data egress of user queries to third-party engines and websites.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes optimization and automatic fetching but does not clearly warn users that their queries and retrieved URLs/content will be sent to external search engines and websites. Because the skill automatically fetches page bodies from top results, users may unknowingly trigger outbound requests and content collection beyond a simple search.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatically installing packages without explicit user confirmation causes the skill to execute shell commands as a side effect of normal use. Even if intended as convenience, it can unexpectedly modify the host environment and trigger installation scripts from third-party packages, expanding the attack surface to command execution and supply-chain compromise.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill automatically fetches content from top search results after querying external search engines, causing additional outbound requests to third-party sites based on user input. This can leak user interests and selected URLs without meaningful consent, especially because fetching is enabled by default and the tool description does not prominently warn about this secondary data transmission.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The setup script silently contacts third-party IP/geolocation services to infer whether the user is in China, which transmits the user's IP address and related network metadata during installation. While this appears intended only to select mirrors for faster dependency downloads, it creates an undocumented privacy exposure and external dependency that users may not expect from a local setup script.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal