ClawHub

Enhanced Search

Security checks across malware telemetry and agentic risk

Overview

This is a search-helper skill whose privacy-sensitive behavior is mostly expected for web search, but users should avoid sensitive queries when context or caching is enabled.

Install only if you are comfortable with a search helper using conversation context to improve search queries. Avoid private, proprietary, or credential-like information in searches when context-aware search, memory sources, caching, or self-improvement logging are enabled, and separately review any Python files if you obtain an implementation beyond this SKILL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples are broad natural-language phrases like “搜索 [查询内容]” and “帮我了解 [主题]”, which can overlap with normal conversation and cause unintended activation. In a skill that performs web searches and context-aware query expansion, accidental invocation can expose user prompts or conversation context to external search services without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises context-aware search and multi-source integration but does not clearly disclose what conversation context may be used or transmitted during query optimization. This creates a privacy risk because user-provided or prior conversational data may be incorporated into external searches, potentially leaking sensitive information beyond the local environment.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation instructs users to create a local configuration file and later describes caching behavior, but it does not warn that queries, summaries, or source selections may be stored locally. Even if storage is local, retained search artifacts can contain sensitive user interests or contextual data and may be accessible to other local processes or users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal