ClawHub

free-web-search-js

Security checks across malware telemetry and agentic risk

Overview

This is a real web-search skill, but it includes under-scoped shell/package-install behavior that should be reviewed before use.

Install only if you are comfortable with a skill that sends searches and URLs to third-party sites, drives Chromium, and auto-fetches result pages. Review or patch the execSync URL handling and runtime npm install behavior first, prefer locked dependency installation, avoid sensitive queries, and stop the browser daemon when not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script deliberately alters browser fingerprints to evade automation detection by disabling AutomationControlled, forcing navigator.webdriver to false, and defining window.chrome. That goes beyond ordinary web search and can facilitate deceptive scraping or bypass of site anti-bot controls, which is risky even in a debug script because it normalizes stealth behavior inside the skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This debug script goes beyond ordinary automation and explicitly implements anti-bot evasion: it disables Chromium automation indicators, spoofs browser fingerprint properties such as navigator.webdriver, plugins, languages, and chrome.*, and adds other hardening flags like --disable-web-security. In a web-search skill, these techniques normalize stealth automation and can be repurposed to bypass site defenses, violate target site policies, and increase the likelihood of abusive scraping or deceptive browsing behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script deliberately alters browser automation indicators by disabling AutomationControlled, forcing navigator.webdriver to false, and setting a fake window.chrome object. This is anti-bot evasion behavior that goes beyond ordinary web search and can be used to bypass site defenses or conceal automated access, which is risky even in a debug script.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script deliberately alters browser automation signals by disabling AutomationControlled, overriding navigator.webdriver, and defining window.chrome to better mimic a human browser. In a skill whose purpose is ordinary web search and content retrieval, this evasion is not necessary for core functionality and increases the risk that the code is intended to bypass bot detection or site access controls.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script silently executes `npm install` via `child_process.execSync` at runtime to fetch missing dependencies. This introduces arbitrary code execution from package install hooks and mutable registry content, turning a content-fetching tool into one that can execute unpinned third-party code on the host without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The Playwright init script alters browser fingerprinting signals such as `navigator.webdriver`, `window.chrome`, and permissions behavior to evade bot detection. While not direct code execution, this exceeds normal page rendering needs and can facilitate access patterns that bypass site protections or mask automation in ways a simple web fetcher does not need.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script installs npm packages at runtime by invoking a shell command, which expands its capabilities from web search into arbitrary code acquisition and execution from the package registry. This is dangerous because dependency installation can trigger lifecycle scripts, alters the host environment, and creates a supply-chain risk that is unnecessary for a search skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill spawns another Node process using a command string built from URLs and options, which broadens execution scope and introduces command-injection risk if arguments contain shell metacharacters. Because the URLs originate from network search results, an attacker controlling a result URL could potentially influence the spawned command and execute unintended shell commands.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger keywords are broad everyday terms such as '搜索', '查一下', 'find', and '是什么', which can cause the skill to activate in many normal conversations unrelated to intentional web access. Because this skill sends queries to external search engines and may auto-fetch top results, accidental invocation can leak sensitive user prompts or cause unwanted network activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description does not clearly warn that user queries, requested URLs, and IP/region-detection probes are transmitted to third-party services including search engines and IP-check endpoints. In a skill that automatically searches and fetches content, this omission can mislead users about privacy exposure and increases the chance that sensitive data is sent off-device without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The automation is intentionally disguised as a normal user session without any warning, consent, or explanation, which can mislead operators and target websites about the nature of the traffic. In a web-search skill, this is more concerning because the core function is network interaction at scale, so concealment can enable terms-of-service evasion and abusive scraping patterns.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script harvests cookies from a real browser session and replays them in raw fetch requests, effectively transferring browser state into custom HTTP traffic without any consent, warning, or scope controls. This can expose session or tracking identifiers and enables requests that appear more like an authenticated or reputation-bearing browser session, increasing privacy and abuse risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script harvests cookies from a real browser session and forwards them in a manual fetch request, effectively replaying session state outside the browser context. This can bypass normal browser isolation expectations, may violate user privacy, and creates a pattern that could be repurposed to exfiltrate or misuse authenticated/session cookies without user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic package installation without warning or confirmation means the script can modify the local environment and execute installer scripts as a side effect of normal use. In the context of a web-search utility, this is unexpected behavior and materially increases supply-chain and host-compromise risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"fetch": "node scripts/fetch.js"
  },
  "dependencies": {
    "cheerio": "^1.0.0",
    "commander": "^12.0.0",
    "iconv-lite": "^0.6.3",
    "playwright": "^1.52.0"
Confidence
89% confidence
Finding
"cheerio": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "cheerio": "^1.0.0",
    "commander": "^12.0.0",
    "iconv-lite": "^0.6.3",
    "playwright": "^1.52.0"
  }
Confidence
89% confidence
Finding
"commander": "^12.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "cheerio": "^1.0.0",
    "commander": "^12.0.0",
    "iconv-lite": "^0.6.3",
    "playwright": "^1.52.0"
  }
}
Confidence
89% confidence
Finding
"iconv-lite": "^0.6.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"cheerio": "^1.0.0",
    "commander": "^12.0.0",
    "iconv-lite": "^0.6.3",
    "playwright": "^1.52.0"
  }
}
Confidence
92% confidence
Finding
"playwright": "^1.52.0"

Known Vulnerable Dependency: playwright==1.52.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
98% confidence
Finding
playwright==1.52.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal