ClawHub

Web Search

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides web search and page crawling, with normal network and dependency risks but no evidence of hidden or malicious behavior.

Install only if you want the agent to make external web requests and crawl pages from your environment. Do not use it with secrets, private/internal URLs, or sensitive queries unless your runtime has network egress controls and reviewed, pinned dependency versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and enables network access and likely local file interaction through its script and dependencies, but declares no permissions. This creates a transparency and consent problem: hosts or users may authorize the skill under false assumptions, allowing broader capability use than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is generic web search, but the documented actions also include arbitrary URL crawling and deep extraction of page content. That mismatch is dangerous because operators may approve the skill as a search-only tool while it can fetch and process far more content, increasing data exfiltration, SSRF-like retrieval, and policy bypass risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill advertises itself as a general web search capability, but it also exposes arbitrary URL crawling and content extraction. This expands the trust boundary from search-result retrieval to unrestricted outbound fetches, which can be abused to access internal services or sensitive endpoints if the runtime has network reachability.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The deep_search feature does more than search: it automatically follows returned links and extracts page content. That hidden secondary fetch behavior can cause unintended data transmission and turns untrusted search results into attacker-controlled fetch targets, increasing SSRF and privacy risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The exported crawl action lets callers fetch any http/https URL with only superficial validation. In an agent environment, this is a classic SSRF primitive that could probe internal web services, cloud metadata endpoints, or other restricted resources reachable from the host.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Deep search and crawl send outbound requests to arbitrary external sites without any user-facing notice or consent flow. In agent usage, queries or URLs may contain sensitive context, and silent transmission to third-party services can create privacy, compliance, and data-governance issues.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Routing Bing searches to the China-specific endpoint and forcing Chinese locale without user opt-in changes the data-handling jurisdiction and backend unexpectedly. In some deployments this can create compliance and privacy exposure by sending user queries to region-specific infrastructure not anticipated by the user or operator.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Web Search Skill Requirements

# 包管理器(推荐用于快速安装)
uv>=0.1.0

# HTTP请求
requests>=2.28.0
Confidence
90% confidence
Finding
uv>=0.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
uv>=0.1.0

# HTTP请求
requests>=2.28.0

# 百度搜索库(无需API Key)
baidusearch>=1.0.3
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0

# 百度搜索库(无需API Key)
baidusearch>=1.0.3

# 网页抓取库(深度搜索)
crawl4ai>=0.8.0
Confidence
87% confidence
Finding
baidusearch>=1.0.3

Unpinned Dependencies

Low
Category
Supply Chain
Content
baidusearch>=1.0.3

# 网页抓取库(深度搜索)
crawl4ai>=0.8.0

# Playwright 浏览器自动化
playwright>=1.40.0
Confidence
96% confidence
Finding
crawl4ai>=0.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
crawl4ai>=0.8.0

# Playwright 浏览器自动化
playwright>=1.40.0
Confidence
90% confidence
Finding
playwright>=1.40.0

Known Vulnerable Dependency: uv — 4 advisory(ies): CVE-2025-54368 (uv allows ZIP payload obfuscation through parsing differentials); GHSA-pjjw-68hj-v9mw (uv vulnerable to arbitrary file deletion through RECORD entries); CVE-2025-13327 (uv allows ZIP payload obfuscation through parsing differentials) +1 more

Low
Category
Supply Chain
Confidence
84% confidence
Finding
uv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
requests

Known Vulnerable Dependency: crawl4ai — 5 advisory(ies): CVE-2025-28197 (Crawl4AI SSRF vulnerability); CVE-2026-26216 (Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Paramete); CVE-2026-26217 (Crawl4AI Has Local File Inclusion in Docker API via file:// URLs) +2 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
crawl4ai

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal