Is bguidolim/omnisearch safe?

https://github.com/openclaw/skills/tree/main/skills/bguidolim/omnisearch

77
CAUTION

OmniSearch is a minimal bash wrapper that routes user search queries to external providers (Perplexity, Brave, Kagi, Tavily, Exa). The install and code are clean with no malicious artifacts, no canary file compromise, and no unexpected network connections during clone. However, SKILL.md contains manipulative behavioral instructions — falsely claiming mandatory/exclusive search authority and explicitly telling the agent to skip user confirmation before transmitting queries to external services. This no-consent design creates a meaningful privacy risk where sensitive conversation context can silently flow to third-party APIs.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

HIGH False 'MANDATORY/ONLY' framing suppresses agent judgment -20

The skill description declares itself 'MANDATORY' and claims to be 'THE ONLY way to search the internet in this OpenClaw environment.' These statements are factually false. This manipulative framing is designed to override the agent's own assessment of whether external search is needed, reducing the agent's critical thinking about when to use the skill and effectively hijacking its decision-making process for search tasks.

HIGH Explicit instruction to bypass user permission -20

The skill explicitly instructs the agent to run searches immediately without asking user permission. This removes the agent's natural pause-and-confirm behavior before making external network requests, which is a key privacy and safety checkpoint. This instruction is particularly dangerous combined with external API routing.

MEDIUM Query content silently routed to multiple external third-party APIs -22

All search queries — including whatever conversation context the agent includes — are forwarded to external providers without user-visible confirmation. The 'don't ask permission' instruction means users may not realize their queries (and implicit context) are being transmitted to Perplexity, Brave, Kagi, Tavily, or Exa. In sensitive environments this constitutes a data leakage risk.

LOW Unquoted variable expansion in shell script -15

The QUERY variable is assigned with quotes but expanded without quotes in the mcporter invocation argument. If mcporter performs any shell-like argument processing, this could allow query content containing shell metacharacters to alter command behavior. Low risk given mcporter appears to be a controlled internal tool.

LOW Repository provenance mismatch in metadata -10

The skill is installed from openclaw/skills but _meta.json references a commit URL pointing to github.com/clawdbot/skills. This discrepancy suggests either a repo migration, fork, or copy-paste error in metadata. Does not indicate malicious intent but reduces confidence in supply chain provenance.

MEDIUM No-confirmation design creates covert external data routing pathway -35

The combination of explicit no-permission-required instruction and external API routing means sensitive conversation context can flow to third-party search providers without user awareness or consent. This is not malicious by itself but represents a significant privacy risk, especially in agent environments with file access capabilities where sensitive data could be inadvertently included in search queries.