ClawHub

Web fetch Google search

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Google search wrapper, with the main caveat that search queries may be sent to an external search provider.

Use this only for ordinary web searches. Do not include passwords, tokens, private personal details, confidential business information, or regulated data in search queries, and expect the published documentation to be rough because it still contains template text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The skill claims it will execute a specific script and use a web search tool, but the document still contains obvious template placeholder content showing the skill is unfinished. This mismatch is dangerous because users and downstream agents may rely on undocumented or nonexistent behavior, reducing review quality and increasing the chance that hidden or unreviewed implementation details are invoked without proper scrutiny.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough to match common requests about retrieving information from Google search results, which can cause over-triggering of the skill. That is risky because it may send user content to an external service unexpectedly, invoke the wrong capability, or bypass more appropriate safer workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation does not clearly warn that the provided query will be transmitted to Google via an external web search operation. This creates a privacy and data-handling risk because users may include sensitive, proprietary, or regulated information without understanding it will leave the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal