Web Scout

Security checks across malware telemetry and agentic risk

Overview

This web-scraping skill is purpose-aligned, but it asks users to run broad external tooling and hand live browser cookies to the agent, which needs careful review.

Install only if you are comfortable running third-party CLI and Docker tooling. Use safe or dry-run modes first, review Agent Reach and MCP connectors before adding credentials, avoid primary-account cookies, prefer throwaway accounts, and remove stored cookies, containers, and watchers when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs users to export full browser cookies and send them to the agent, which can expose live authenticated session tokens for platforms like Twitter/X and Xiaohongshu. In the context of a web-collection skill that requires exec access and third-party tooling, this is especially dangerous because cookie theft enables account takeover, impersonation, data exfiltration, and abuse of the user's account without needing a password.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal