ClawHub

Claw Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward search API wrapper, but search terms are sent to an external service.

Install only if you are comfortable sending search terms to claw-search.com, and potentially through its DuckDuckGo fallback. Avoid using it for secrets, credentials, personal data, confidential project names, regulated information, or queries whose disclosure to an external search provider would be unacceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to send arbitrary search queries to a third-party service but does not disclose that those queries, along with related metadata such as IP address, user agent, and timing, will be transmitted outside the local agent environment. In an agent skill context, users may submit sensitive prompts, internal project names, or personal data through search features, so the lack of a privacy warning and data-handling guidance creates a real data-exposure risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill's 'When to Use' guidance is very broad ('when your agent needs to search the web, find images, or get latest news'), which can cause the agent to invoke this external-search skill for many generic user requests. That increases unnecessary exposure of user prompts to a third-party service and expands the attack surface through over-selection of the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill does not warn that user queries are transmitted to an external service at claw-search.com. Without explicit disclosure, an agent may send sensitive prompts, identifiers, or confidential context to a third party, creating privacy and data-handling risks that users may not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends user-provided search queries to an external third-party service over the network, and the code contains no mechanism for disclosure, consent, or minimization before transmission. In an agent setting, users may reasonably assume prompts remain local; silently forwarding potentially sensitive queries can expose personal, proprietary, or confidential information to the remote operator.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The image, news, and suggestion functions also forward raw user queries to the same external service without any visible notice, consent flow, or privacy controls. Because suggestion endpoints often receive partial queries, this can leak sensitive intent even before a user finishes a request, increasing privacy risk in interactive agent use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal