ClawHub

web-reader-pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate web-reading skill, with important but expected risks around third-party URL fetching, local caching, and optional helper-tool installation.

Install only if you are comfortable with requested URLs being fetched through Jina when Tier 1 is used, extracted content being cached locally, and the optional Scrapling setup installing or invoking npm/npx tooling. Avoid sensitive internal URLs unless you configure a local-only tier, use a limited Jina key, and clear cache or learning data after sensitive use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
        
        try:
            result = subprocess.run(
                scrapling_cmd,
                capture_output=True,
                text=True,
Confidence
91% confidence
Finding
result = subprocess.run( scrapling_cmd, capture_output=True, text=True, timeout=60, check=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and relies on capabilities including network access, environment-variable access, file read/write, and shell execution, but does not declare permissions or warn users about this operational scope. That creates a transparency and consent problem: a user may invoke what appears to be a simple web reader without realizing it can access local state, persist data, and execute external tooling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill's advertised role is web reading, but it achieves part of that by executing an external local binary. In an agent setting, that is materially more dangerous than pure HTTP fetching because it introduces supply-chain, path-hijack, and local-execution risk that may not be visible to users or policy controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description says it fetches and extracts web content using Jina as a primary tier, but does not warn that requested URLs and potentially associated request metadata may be transmitted to a third-party service. This omission can cause privacy, confidentiality, and compliance issues if users submit internal, sensitive, or non-public URLs assuming all processing is local.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Listing an external-service API key in the environment variables without a matching warning obscures the fact that content extraction may depend on a remote provider and that user-supplied URLs may leave the local environment. This increases the risk of accidental data disclosure and misuse in environments with strict privacy or data residency requirements.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs package installation from the network and creates an executable wrapper in ~/.local/bin, changing the user's environment and persistence state. While this appears to be a legitimate installer, these actions can introduce unreviewed code into the system and leave behind a command that will execute npx-fetched code later, especially risky because the package version is not pinned and user consent is implicit rather than explicit.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Jina tier transmits user-supplied URLs to an external third-party service (`r.jina.ai`) without any runtime consent or clear user-facing disclosure. In a web-reading skill, this is contextually significant because requested URLs may be sensitive, internal, or private, and using a third-party reader changes the data exposure model.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal