ClawHub

bocha-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Bocha search skill, but it includes unsafe credential handling in its bundled publishing docs and scripts.

Install only if you are comfortable sending search queries to Bocha using your own BOCHA_API_KEY. Do not reuse the key shown in PUBLISH.md; treat it as exposed. Avoid running publish.sh unless you intend to publish the skill, and prefer browser login or a non-echoing token flow for ClawdHub credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation indicates it uses environment variables and outbound network access, but does not declare permissions explicitly in a way that would let users or the platform clearly understand its effective capabilities. This weakens transparency and informed consent, especially because the skill handles an API key and sends user queries to a third-party service.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document includes a concrete API key string in an example command even though it later warns never to hardcode secrets. If this token is real, it exposes credentials to anyone reading the repository and may enable unauthorized API usage, billing abuse, or account compromise; even if it is a sample, it trains users to copy realistic-looking secrets into docs and shells.

Missing User Warnings

High
Confidence
99% confidence
Finding
Showing a realistic-looking secret in documentation without a clear disclaimer creates a strong risk that a real credential has been published or that users will treat secret material casually. In a publish guide for a distributable skill, this is especially dangerous because documentation is likely to be copied, indexed, and redistributed widely, increasing the chance of credential harvesting and misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that user search requests are routed to and sent to a third-party API, but it does not clearly warn users about privacy implications, data handling, retention, or that entered queries may leave the local environment. In a search skill, users may include sensitive prompts, making undisclosed external transmission a real privacy/security concern even if the functionality is expected.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The statement that the skill will route explicit requests including generic terms like "search" can cause over-broad invocation and unintended activation. That can send user queries to Bocha when the user may have intended a different provider or no external search at all, increasing privacy and routing-risk exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads the API token with a normal `read -p`, which echoes the secret to the terminal as the user types it. This can expose the token to shoulder-surfing, screen recording, terminal logs, or captured session transcripts, making credential theft easier. In this publish-script context, the token is a real authentication secret, so the issue is more meaningful than a generic UX concern.

External Transmission

Medium
Category
Data Exfiltration
Content
## Technical Details

### API Endpoint
- **URL**: `https://api.bocha.cn/v1/web-search`
- **Method**: POST
- **Auth**: Bearer token in Authorization header
Confidence
91% confidence
Finding
https://api.bocha.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal