Is multi-search-engine safe?

https://clawhub.ai/gpyAngyoujun/multi-search-engine

82
SAFE

Multi-search-engine is a documentation-only skill that provides URL templates for 17 search engines. It contains no executable code, no prompt injection, and no data exfiltration mechanisms. The main concerns are minor: it includes Google search dork patterns that could aid reconnaissance, and its URL templates could theoretically serve as an indirect exfiltration channel if combined with a malicious skill. Overall, it is a low-risk, benign utility skill.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (5)

LOW Search dork patterns in documentation -10

The references/international-search.md file contains extensive examples of Google search operators commonly used for security reconnaissance, including 'intext:password filetype:txt', 'intitle:"index of" mp3', and 'inurl:login admin'. While these are legitimate search operators, embedding them as ready-to-use templates in an agent skill lowers the barrier for automated OSINT reconnaissance.

LOW Search queries as potential exfiltration vector -15

All 17 search engine URL templates accept a {keyword} parameter that becomes part of the HTTP request URL. If another skill or prompt injection controls the keyword value, sensitive data could be exfiltrated via search queries to third-party domains. This is an indirect/theoretical risk, not an active exploit in this skill.

LOW Behavioral conditioning via extensive examples -15

The skill contains over 100 web_fetch code examples across SKILL.md and the reference file. While not prompt injection, this volume of examples acts as behavioral conditioning, training the agent to freely issue web_fetch calls to many domains. This normalizes broad outbound HTTP activity.

INFO Platform reads canary-adjacent files during bootstrap -5

The filesystem monitoring shows reads of .env, .aws/credentials, .profile, and .bashrc during the OpenClaw platform bootstrap process. These are platform behavior, not skill behavior, but are noted for transparency.

INFO Pure documentation skill — no executable code 0

The skill contains only markdown (.md) and JSON (.json) files with no executable code, install scripts, git hooks, or submodules. This is the safest possible skill structure.