ClawHub

Web Scraping & Data Extraction Engine

Security checks across malware telemetry and agentic risk

Overview

This markdown-only scraping skill is not malware, but it should be reviewed because it teaches users how to bypass anti-bot protections.

Install only for owned or explicitly authorized targets. Prefer official APIs, respect robots.txt and site terms, avoid login-protected or personal data unless you have clear permission, and do not use stealth settings, proxy escalation, CAPTCHA solvers, hidden API mining, or large-scale crawling against third-party sites without a documented legal basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section provides operational guidance for evading anti-bot controls, including residential proxies, stealth browser configuration, automation-indicator suppression, Cloudflare bypass decisioning, and CAPTCHA-solving services. Even though framed as scraping methodology, these instructions materially enable circumvention of access controls and defensive mechanisms, which increases the likelihood of unauthorized collection and legal/compliance violations.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document presents compliance-first rules early on, but later supplies concrete instructions to circumvent detection and CAPTCHA defenses. That contradiction is dangerous because it can create a false sense of legitimacy while still equipping users to evade technical protections, making misuse more likely in practice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes anti-bot evasion, stealth techniques, and Cloudflare bypass, which materially lowers the barrier to scraping protected sites in ways that may violate terms of service, trigger account bans, or facilitate unauthorized collection at scale. Although the document mentions legality elsewhere, the specific anti-detection section is presented as a feature without nearby warnings, limits, or abuse-prevention guidance, making misuse more likely in this skill's web-scraping context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal