ScrapeBadger

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only connector for ScrapeBadger’s external scraping APIs, with no executable install code or hidden behavior found.

Install only if you trust ScrapeBadger with the API key and the scraping targets you provide. Use a revocable key, monitor account usage or credits, and avoid submitting secrets, internal-only URLs, personal data, or regulated content unless you are authorized to send it to this external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill requires sending `SCRAPEBADGER_API_KEY` to a third-party API but provides no warning about credential sensitivity, storage, logging, or safe handling. In agent/tooling contexts, this can lead to accidental disclosure through debug logs, copied examples, error traces, or misuse of the key against the user's paid account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to send URLs, search queries, usernames, tweet IDs, marketplace targets, and scraped destinations to `scrapebadger.com` without any disclosure that this data leaves the local environment and is processed by a third party. This creates privacy and compliance risk, especially if users provide sensitive internal URLs, personal data, or investigative targets assuming the action is local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal