Back to skill

Security audit

bocha-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Bocha search skill, but it needs Review because it includes unsafe credential examples and broad routing that may send queries to a third party unexpectedly.

Install only if you are comfortable sending search queries to Bocha with your own BOCHA_API_KEY. Do not use or copy the key shown in PUBLISH.md; treat it as exposed. Avoid sensitive or confidential queries unless approved, and run publish.sh only if you intend to publish and can protect your ClawdHub token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents use of environment variables and outbound network access, but the metadata only declares required binaries and primary environment variable rather than explicit permissions. This can reduce transparency and informed consent, because users may not realize the skill can send their prompts to a third-party service and access secrets from the runtime.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document contains contradictory security guidance: it says API keys must never be hardcoded, yet earlier testing instructions include a concrete-looking `BOCHA_API_KEY` value. Even if this key is only an example, publishing realistic credential formats in docs normalizes unsafe handling and creates a high risk that maintainers or users will paste real secrets into shell history, screenshots, repos, or logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example directly shows an API key-shaped value in a command users are told to run for testing. In a skill that requires users to manage third-party credentials, this context makes the issue more dangerous because users may reuse the pattern with live secrets, leak them into terminal history, shared documentation, CI logs, or accidentally believe the included key is valid and intended for public use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that user search requests are sent to the external Bocha API, but it does not clearly warn users that their queries may leave the local environment and be processed by a third party. This creates a privacy and data-handling risk because users may unknowingly submit sensitive prompts, internal project names, or personal data to an external service.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing guidance says the skill will automatically handle Chinese queries or explicit 'bocha' / '博查' / 'search' requests. Matching on generic terms like 'search' or broad Chinese queries can cause accidental invocation, sending user input to an external provider when the user did not specifically choose this service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description highlights features and setup but does not clearly warn that user queries will be sent to the external Bocha API for processing. This is a privacy and data-handling issue because users may provide sensitive prompts without understanding they leave the local environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script reads an API token with a normal `read -p`, which typically echoes the secret to the terminal as the user types. That can expose the token to shoulder surfing, terminal recording, shared session logs, or other monitoring tools, increasing the chance of credential disclosure during publication.

External Transmission

Medium
Category
Data Exfiltration
Content
1. 用户输入搜索请求
2. OpenClaw 识别并路由到 bocha-search skill
3. 脚本读取 `BOCHA_API_KEY` 环境变量
4. 调用博查 API: `POST https://api.bocha-ai.com/v1/web-search`
5. 格式化结果为 Markdown 输出

## 发布到 ClawdHub
Confidence
94% confidence
Finding
https://api.bocha-ai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Technical Details

### API Endpoint
- **URL**: `https://api.bocha.cn/v1/web-search`
- **Method**: POST
- **Auth**: Bearer token in Authorization header
Confidence
90% confidence
Finding
https://api.bocha.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.