ClawHub

Skrape

Security checks across malware telemetry and agentic risk

Overview

Skrape is a guidance-only scraping skill with responsible-use instructions, though its sample robots.txt checker should not be relied on as a complete compliance safeguard.

Install only if you want scraping guidance and sample code. Before using it on real sites, manually review robots.txt and terms, prefer official APIs, change the robots check to fail closed when evaluation is inconclusive, avoid authenticated or personal data unless clearly permitted, and redact sensitive URLs from logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill claims robots.txt adherence, but on fetch errors or parse failures it defaults to allowing scraping. That fail-open behavior can cause the agent to access paths that a site intended to restrict, especially during transient network issues or malformed robots files. In a scraping skill, this makes the mismatch between policy claims and implementation materially relevant.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The evaluator collects Allow directives but never applies them, so robots decisions are incomplete and can be incorrect. This can either over-block or, combined with simplistic matching, mis-handle precedence and create behavior that does not match the site's published crawling policy. While not a direct memory/code-execution issue, it is a security-relevant policy enforcement flaw in this skill's stated purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal