Claw Search

Security checks across malware telemetry and agentic risk

Overview

Claw Search is a real search tool, but its included servers expose unsafe search and URL-fetching behavior that needs review before installation.

Review carefully before installing or exposing this service. Treat all searches as external network traffic, avoid entering secrets or private internal terms, and do not run the bundled server for untrusted users until shell command construction is removed, URL extraction is restricted, query history is disabled or authenticated, and dependencies are sourced from a trusted HTTPS registry.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The code invokes a local subprocess (`execSync`) to perform search functionality, which expands the skill's capabilities beyond simple web requests and introduces command-execution risk. In this context, the subprocess is fed user-controlled input and executed through a shell, making the local execution path materially dangerous.

Vague Triggers

Low

Confidence: 89% confidence
Finding: The lockfile pins dependencies by integrity hash, which reduces tampering risk, but it also hard-codes package downloads to an unexpected third-party HTTP mirror rather than the default trusted npm registry. Using a broad external mirror over plain HTTP weakens supply-chain trust and can expose installs to mirror compromise, traffic interception, or policy bypass in environments that assume dependencies come only from approved registries.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: User-entered search queries are sent to a third-party remote API, but the page does not clearly disclose that user input leaves the browser and is transmitted off-device. This can expose sensitive queries, especially if users assume the search box is local or do not understand who receives the data.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The page automatically fetches API usage statistics from a remote endpoint on load without informing visitors that opening the page triggers a network request. While lower risk than transmitting typed queries, it still creates undisclosed telemetry and contact with a remote service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends user-provided search queries to a remote third-party API endpoint, but the CLI output and usage text do not clearly disclose that queries leave the local environment. Search terms can contain sensitive internal, personal, or proprietary data, so this creates a privacy and data-handling risk, especially in an agent skill context where users may assume a local tool.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The script defaults the search country/locale to 'CN' without asking the user or making that behavior obvious. This can silently route searches through a locale with different content filtering, privacy expectations, or regulatory implications, which is especially risky when users are unaware of the default and may receive altered or sensitive-region-specific results.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The service forwards user-supplied search terms to third-party search engines (Bing, DuckDuckGo, Yahoo), which discloses potentially sensitive user queries to external parties. In a search aggregation skill this behavior is functionally expected, but it is still a real privacy/security issue when there is no user-facing notice, consent, or control over where queries are sent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Search queries are stored in memory and then exposed via unauthenticated /api/history and /api/suggest endpoints, which can reveal potentially sensitive user searches to any caller. In this server context, queries may contain personal data, internal project names, credentials pasted by mistake, or other confidential terms, so disclosure is a real privacy and data-leak risk.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The /api/extract endpoint causes the server to fetch arbitrary user-supplied URLs with Puppeteer, creating a server-side request forgery primitive. An attacker can use this to probe internal services, access cloud metadata endpoints, or make outbound requests from the trusted server network, and the browser context increases the attack surface beyond a simple HTTP fetch.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: User-controlled `query` is interpolated directly into a shell command string passed to `execSync`, which creates a command injection vulnerability. An attacker can craft a query containing shell metacharacters or quote-breaking payloads to execute arbitrary commands on the host running the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal