ClawHub

Chatgpt Search

Security checks across malware telemetry and agentic risk

Overview

This ChatGPT search skill does what it advertises, but it also saves local screenshots of ChatGPT sessions by default without clear notice or cleanup.

Install only if you are comfortable sending prompts to ChatGPT via browser automation and leaving screenshots of those sessions on local disk. Avoid secrets, credentials, private customer data, or proprietary material; consider using a separate browser profile and regularly deleting /tmp/chatgpt-screenshots unless the skill is changed to make screenshots opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is to submit a query to ChatGPT and return the answer, but it also captures and stores a local screenshot of the session. That creates additional data collection and retention beyond the expected function, and the screenshot may contain sensitive user prompts, responses, or other page content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code writes screenshots of ChatGPT sessions to /tmp, which is an unnecessary capability for a simple search-and-answer workflow and may expose sensitive data to other local users, processes, or later forensic access. The filename also derives from user query content via a hash, which links stored artifacts to user activity.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The README defines broad natural-language trigger phrases such as "问 ChatGPT" and "ChatGPT 搜索", which can cause the skill to activate on ordinary conversation rather than clearly intentional tool invocation. Because this skill sends user prompts to an external service, overly broad triggers increase the risk of accidental data transmission and unintended browser automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage section instructs users to send arbitrary questions to ChatGPT but does not warn that prompts may be transmitted to an external third-party service. This omission can lead users to unknowingly share sensitive, proprietary, or personal information through the skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the user's query to chatgpt.com, but there is no explicit user-facing notice or consent flow indicating that the content will leave the local environment and be processed by a third-party service. For a browser automation skill, this matters because users may assume local handling unless told otherwise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code stores screenshots of the ChatGPT session locally without any visible warning that user prompts and responses may be retained on disk. This increases privacy risk because users may not expect durable local copies of their interaction to exist after the search completes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal