Is perplexity safe?

https://clawhub.ai/zats/perplexity

78
CAUTION

The Perplexity skill provides a simple web search interface via the Perplexity API. While the SKILL.md is clean and the installation showed no malicious behavior, the critical concern is that the actual executable script (search.mjs) was not captured in the audit, making its behavior unverifiable. Additionally, all user queries are sent to a third-party API without content controls, creating a data leakage vector in agent contexts.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (5)

HIGH Unauditable executable script — search.mjs source not captured -35

The skill's primary functionality runs through scripts/search.mjs, but this file's contents were not included in the all-contents dump despite the file being listed in the file inventory. This means the actual behavior of the script cannot be verified. It could contain arbitrary code including data exfiltration, reverse shells, or credential theft.

MEDIUM User queries sent to third-party API without content controls -25

Every search query is transmitted to Perplexity's external API. In an agent context, the agent may include sensitive conversation context, user data, or internal information in search queries. There are no content filtering or redaction mechanisms.

MEDIUM API key exposure required via environment variable -20

The skill requires PERPLEXITY_API_KEY to be set as an environment variable, which means the agent runtime must provision this secret. If the script or any child process is compromised, this key is accessible.

LOW Runtime framework reads sensitive files during install -15

The openclaw runtime (not the skill itself) reads .env, .aws/credentials, auth-profiles.json, and .bashrc during skill installation. While this is framework behavior rather than skill-initiated, it demonstrates that secrets are accessible in the execution environment.

INFO Skill uses {baseDir} template variable in shell commands -10

The SKILL.md instructs the agent to run shell commands with {baseDir} path substitution. If the baseDir resolution is manipulated or contains special characters, this could lead to command injection. However, this is a standard ClawHub pattern and the risk is low if the runtime handles substitution correctly.