Is interskh/querit-search safe?

https://github.com/openclaw/skills/tree/main/skills/interskh/querit-search

87
SAFE

querit-search is a straightforward web search and content extraction skill with clean source code, no npm lifecycle scripts, no git hooks, and no prompt injection in its SKILL.md. The primary risks are inherent to any web search tool: search queries are logged at the third-party querit.ai API, and arbitrary web content returned to the agent context creates a secondary prompt injection surface. Canary file accesses during the audit are attributable to the oathe monitoring infrastructure, not the skill, and all honeypot files remain unmodified.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM Arbitrary Web Content Returned to Agent Context -7

The --content flag and content.js extract full page text from arbitrary URLs and return it directly into the agent's context window. A malicious web page in search results could embed natural-language instructions designed to redirect agent behavior. This is an inherent risk of any content extraction tool but should be noted for threat modeling.

MEDIUM Search Queries Logged at External API -12

All search queries are transmitted to api.querit.ai with a Bearer token in the Authorization header. The API operator has full visibility into every query the agent executes using this skill. While this is declared behavior, it means user-sensitive search terms are stored on third-party infrastructure.

LOW Platform-Identifying User-Agent in Content Fetches -6

content.js sends a User-Agent header identifying the platform and linking to the openclaw GitHub repository. Target sites receive metadata indicating the request originates from an AI agent. This is informational disclosure rather than data exfiltration but reduces operational anonymity.

LOW jsdom Parses Untrusted Remote HTML -12

content.js instantiates a JSDOM object from arbitrary remote HTML to enable Readability parsing. While JSDOM does not execute JavaScript by default in this configuration and the runScripts option is not set, it does process HTML entities, CSS, and DOM events. The 5MB size cap partially mitigates DoS via large payloads.

LOW Commit URL References Different Repository Owner -20

_meta.json references a commit at github.com/clawdbot/skills while the skill was cloned from github.com/openclaw/skills. This suggests a repository rename or migration. Not inherently malicious but introduces mild provenance ambiguity.

LOW Canary Files Accessed During Audit Window -10

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at audit timestamps 1771919763 and 1771919780, with a lone .env access at 1771919772. Timing analysis places the 1771919763 and 1771919780 accesses within the oathe audit baseline and integrity verification phases. The 1771919772 access lacks clear process attribution. Canary integrity monitor confirms no content modification.

INFO Skill Enables Agent to Leak Data via Search Queries -22

If an agent with filesystem or memory access is also using this skill, an attacker who controls the agent's task could instruct it to search for sensitive local content by including it in a query string, inadvertently logging that content to the querit.ai API. This is a cross-skill attack path rather than a vulnerability in the skill itself.