ClawHub

Mysteel_InfoSearch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Mysteel commodity-news search skill, but it uses a local API key file and sends search text to Mysteel's external API.

Install only if you trust Mysteel with your search terms and API token. Use a dedicated Mysteel key, keep references/api_key.md private, do not commit it, and avoid submitting confidential or regulated business information as queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that read a local file for an API key and perform external API queries, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or a host platform may not realize the skill accesses local credentials and the network, which increases the chance of unintended data exposure or policy bypass.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs storing an API key in a local markdown file under references/api_key.md without warning about plaintext secret storage. Plaintext credentials in the workspace can be accidentally committed, read by other tools/skills, or exposed through backups and logs, making credential theft more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference documents sending both the user's query text and an API token to an external endpoint but does not warn users that their prompts leave the local environment. This can lead to unintended disclosure of sensitive business queries, internal research topics, or credentials if users assume the skill is local-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends arbitrary user-provided query text to an external Mysteel API, but the CLI gives no explicit notice that input will leave the local environment. This can lead to accidental disclosure of sensitive business queries, internal research topics, or proprietary information if users assume the search is local or do not realize the destination and nature of the network request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal