ClawHub

gsdata-search

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised GS Data search, but it sends an API signature and search data over unencrypted HTTP, so users should review it carefully before use.

Install only if you trust the GS Data endpoint and are comfortable sending the API signature and search terms over plain HTTP. Prefer an HTTPS-supported version, use a scoped and revocable signature, avoid sensitive keywords, and rotate the signature if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documentation explicitly instructs users to provide a `sign` API signature credential but gives no warning about treating it as a secret, avoiding logging, or preventing accidental disclosure in prompts, code snippets, or output. In an agent/skill context, users commonly paste credentials directly into examples or chat interactions, which increases the chance of credential leakage and unauthorized API access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends sensitive inputs including `project_id`, `sign`, and search query parameters to a remote endpoint over plain HTTP, which provides no transport encryption. This allows network attackers to intercept or modify credentials, queries, and responses in transit, making the issue materially more dangerous than a mere lack of disclosure.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.1
Confidence
94% confidence
Finding
requests>=2.25.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal