ClawHub

Byted Web Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Volcengine web-search skill, but it repeatedly encourages users to paste API keys into chat and uses broad triggers that may send more queries externally than expected.

Review before installing. Use it only if you are comfortable sending search queries to Volcengine. Do not paste API keys into chat; configure WEB_SEARCH_API_KEY through a protected skill setting, secret store, or local environment variable, and rotate any key already shared in a transcript. Consider limiting when the skill may search so vague questions or recommendations are not automatically sent to an external provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The guide explicitly tells users to send an API key in the chat, which creates a direct conversational secret-collection path unrelated to normal web-search functionality. Secrets pasted into chat may be stored in logs, transcripts, analytics systems, or exposed to other tools/agents, increasing the chance of credential compromise.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration section prioritizes handing the key to the agent via chat instead of using a safer configuration channel. This normalizes disclosure of credentials in natural language, where they are more likely to be retained, mishandled, or exfiltrated by downstream systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly instructs users to paste an API key directly into the chat interface, which can expose credentials to logs, conversation history, support personnel, downstream tools, or unintended recipients. In an agent/skill ecosystem, chat is often not a secure secret-entry channel, so this guidance materially increases the risk of credential leakage and subsequent unauthorized API use.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger list is extremely broad and includes many common conversational phrases, which can cause the skill to activate in contexts where the user did not intend web access or external data retrieval. In an agent environment, this increases the chance of unnecessary network calls, privacy leakage of user queries to a third-party provider, and routing away from safer local handling.

Vague Triggers

High
Confidence
90% confidence
Finding
The instruction to proactively invoke the skill even when the user did not explicitly ask to search creates an overbroad activation policy. This can lead the agent to transmit user content externally without clear consent, especially for verification or exploratory prompts that might have been answerable locally.

Vague Triggers

High
Confidence
91% confidence
Finding
The 'consider calling on sight' list covers very common words and hedging language, making accidental activation likely across ordinary conversation. Because this skill sends queries to an external API, over-triggering raises both privacy and operational risk by exporting user prompts more often than necessary.

Missing User Warnings

High
Confidence
99% confidence
Finding
Telling users to paste an API key directly into chat without any warning about sensitivity or exposure risk is unsafe handling of credentials. Chat interfaces are not an appropriate secret-input channel because messages can be logged, persisted, reviewed, or reused outside the user's intent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document again prefers chat-based credential submission while omitting any warning about secret exposure. Repetition increases the likelihood that users will treat conversational disclosure as expected behavior, making accidental credential leakage more likely.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask the user to paste an API key directly into the chat. Collecting secrets through normal conversation is dangerous because chat logs may be retained, exposed to other tools, visible to operators, or reused in future context, turning the conversation channel into a credential collection surface.

Ssd 3

High
Confidence
98% confidence
Finding
This repeated guidance normalizes sending credentials in plain chat, increasing the likelihood users will disclose sensitive API keys in an insecure channel. Repetition strengthens the social pattern of secret exfiltration via conversation and increases the blast radius if transcripts are logged or later exposed.

Ssd 3

High
Confidence
99% confidence
Finding
This guidance actively encourages natural-language disclosure of an API key to the agent, creating a clear secret-exfiltration channel. In the context of an agent skill, this is especially dangerous because the agent may have logging, memory, tool access, or multi-step workflows that increase exposure of pasted credentials.

Ssd 3

High
Confidence
99% confidence
Finding
The repeated instruction to hand over the key in chat normalizes leaking secrets through conversation and trains users into an unsafe habit. Because this is setup documentation for a skill, users are likely to follow it exactly, amplifying the risk of credential compromise.

Ssd 3

Medium
Confidence
97% confidence
Finding
The troubleshooting advice tells users they can resend the correct key in chat, reinforcing insecure secret-sharing behavior even after errors. This increases repeated exposure opportunities and can lead users to disclose multiple valid or invalid credentials in logged conversations.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script explicitly tells users to send API keys in chat, normalizing disclosure of secrets through a conversational channel that may be logged, retained, or exposed to unintended parties. In an agent skill context, this is especially risky because users may assume the assistant is a safe secret-entry path when it may not provide secret handling guarantees.

Ssd 3

Medium
Confidence
98% confidence
Finding
The CLI description repeats guidance to provide the API key in chat, reinforcing unsafe operator behavior and increasing the likelihood of credential leakage into conversation logs or model context. Repetition in help text makes this a systematic secret-handling flaw rather than an incidental wording issue.

Ssd 3

Medium
Confidence
97% confidence
Finding
When credentials are missing, the error text instructs users to send the key in chat, turning authentication recovery into a social pathway for secret disclosure. This can cause credential exposure in transcripts, observability systems, or downstream tooling that processes conversation content.

Ssd 3

Medium
Confidence
97% confidence
Finding
The authentication failure message again asks users to provide credentials in chat, which materially increases the chance of secret leakage during troubleshooting. Error flows are high-risk because users are more likely to follow urgent remediation instructions without considering exposure.

Ssd 3

Medium
Confidence
97% confidence
Finding
The API error remediation tells users to resend the correct key in chat, perpetuating insecure secret-sharing behavior precisely when users are handling live credentials. In a skill intended for agent use, this is more dangerous because conversational systems commonly persist and relay context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal