ClawHub

MrScraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud web-scraping integration, but it encourages anti-bot bypass and scriptable scraping workflows without enough user-safety boundaries.

Install only if you are comfortable sending target URLs, extraction instructions, workflow steps, and scraped page data to MrScraper. Use it only on sites and sessions you are authorized to scrape, avoid paywalls or authenticated accounts unless you have explicit permission, do not pass cookies unless strictly necessary, and keep the API token in a secret store or environment variable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly promotes 'stealth browser + IP rotation' to access blocked pages but does not provide any warning about legal, contractual, or target-site policy risks. In a scraping-focused skill, that omission materially increases the chance of misuse by encouraging circumvention of anti-bot controls without informed consent or guardrails.

External Transmission

Medium
Category
Data Exfiltration
Content
#### Request example:

```bash
curl -X POST "https://api.app.mrscraper.com/api/v1/scrapers-manual-rerun" \
  -H "accept: application/json" \
  -H "x-api-token: " \
  -H "Content-Type: application/json" \
Confidence
80% confidence
Finding
curl -X POST "https://api.app.mrscraper.com/api/v1/scrapers-manual-rerun" \ -H "accept: application/json" \ -H "x-api-token: " \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#### Request example:

```bash
curl -X POST "https://api.app.mrscraper.com/api/v1/scrapers-manual-rerun" \
  -H "accept: application/json" \
  -H "x-api-token: " \
  -H "Content-Type: application/json" \
Confidence
80% confidence
Finding
https://api.app.mrscraper.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal