Back to skill

Security audit

Openclaw Search Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real web-search skill, but it needs review because some documentation falsely says it makes no network calls while the code sends queries and fetches URLs externally.

Review before installing if you work with confidential queries or restricted networks. Treat every search term as data sent to external search providers, avoid searching secrets or internal project names, and do not rely on the URL extractor as a complete SSRF/private-network barrier. If using API keys, prefer environment variables or lock down the config file permissions and keep it out of source control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The manifest documents network access and reading a local config file, but the analyzer indicates these capabilities are not formally declared in permissions. Undeclared capabilities weaken trust boundaries and reviewability because a user or platform may not have an accurate machine-readable view of what the skill can access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose does not fully match the behavior described by analysis: additional search providers are used, the implementation surface is broader than advertised, and extract.py may not actually perform the advertised content extraction. Behavior/documentation mismatches are dangerous because they can hide external data flows and make reviewers or users consent to a narrower capability set than the skill really has.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README makes categorical claims that the scripts perform no network calls, send no data externally, and run entirely locally, yet the skill is explicitly a multi-engine web search and content extraction tool. This mismatch can mislead users and reviewers about the actual trust boundary, causing them to run the skill with sensitive inputs or in restricted environments under false assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Stating that processing is entirely local and that no data is uploaded directly contradicts the advertised functionality of retrieving web search results and extracting remote content. In a security-sensitive environment, such deceptive or inaccurate assurances can lead operators to expose internal queries, browsing targets, or other sensitive data to external services without informed consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The security section claims private-network protections for extract.py, but the documented checks omit several local or special-use address ranges beyond the listed RFC1918 and 127/8 cases. In a URL-fetching tool, incomplete SSRF protections can allow requests to localhost or internal infrastructure via alternative loopback/link-local/IPv6 representations, undermining the claimed safety boundary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest claims safe intranet access checks, but the code forwards user-controlled queries to external search providers and returns arbitrary URLs without performing any internal-network validation. In an agent setting, this can create unsafe trust assumptions: downstream components or users may rely on the claimed safeguard and process links that point to private, localhost, or otherwise sensitive network targets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users to place long-lived API credentials directly into a local JSON config file but does not warn about file permissions, secret handling, or avoiding commit/sync of the file. In a developer tool skill, this increases the chance of credential leakage through source control, shared workspaces, backups, logs, or overly permissive local access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the user's raw search query to Baidu over the network with no visible consent flow, warning, or data minimization. Search terms often contain sensitive internal project names, credentials-by-mistake, personal data, or investigative topics, so silent transmission to third-party engines creates a real privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function transmits the user's query to cn.bing.com without any user opt-in or warning. In a search-augmentation skill, this is especially relevant because users may assume the tool is only enhancing retrieval locally, while it actually discloses queries to external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Sogou search path also sends user-supplied queries to an external provider with no privacy notice or confirmation. Because this skill aggregates multiple engines, the context can increase exposure by normalizing third-party transmission and encouraging use for research tasks that may involve confidential topics.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends user-provided search queries to third-party search engines (Bing China, Sogou, 360) over the network without any explicit notice, consent flow, or privacy warning in the implementation. This can expose sensitive prompts, internal project names, credentials accidentally pasted by users, or other confidential research terms to external providers, which is a real privacy and data-leak risk in a search skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.obfuscated_code

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
node_modules/axios/dist/node/axios.cjs:3533

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
node_modules/axios/lib/adapters/http.js:605

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
node_modules/undici/lib/dispatcher/socks5-proxy-agent.js:59

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
node_modules/entities/lib/esm/generated/decode-data-html.js:4

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
node_modules/entities/lib/generated/decode-data-html.js:6

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
node_modules/parse5/node_modules/entities/dist/commonjs/generated/decode-data-html.js:7

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
node_modules/parse5/node_modules/entities/dist/esm/generated/decode-data-html.js:4

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
node_modules/parse5/node_modules/entities/src/generated/decode-data-html.ts:5