TinyScraper

Security checks across malware telemetry and agentic risk

Overview

TinyScraper mostly matches its website-mirroring purpose, but its cleanup command can recursively delete paths built from unvalidated user input.

Review before installing. Use only in a sandbox or disposable workspace, run dry-run first, set crawl limits where possible, and crawl only sites you are allowed to mirror. Avoid the cleanup command with manually supplied or untrusted domain values until the publisher validates the path and proves deletion cannot escape the mirror directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises network access, file reading, and local file output behavior but does not declare any permissions or capability boundaries. This is dangerous because it obscures the true trust and execution surface from the user and runtime, making it easier for a crawler to access local context or perform network/file operations without explicit review.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is website mirroring, but the skill also exposes a deletion mode that removes local mirror directories by domain. Hidden or underemphasized destructive functionality increases the risk of accidental data loss or abuse, especially if domain input is insufficiently constrained and users do not expect deletion behavior from a scraper tool.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is described as a website mirroring/downloader, but the CLI also exposes a destructive local deletion feature via `--disconnect`. This hidden extra capability expands the tool's risk surface and can remove user data under the configured mirrors directory, which is especially concerning in an agent/tooling context where operators may expect read/download behavior only.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The `--domain` argument is joined directly into `MIRRORS_DIR` and passed to `shutil.rmtree()` without sanitization. An attacker can supply values like `../../...` or an absolute path to escape the mirrors directory and recursively delete arbitrary local directories accessible to the process.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill describes mirroring websites but omits clear warnings about bandwidth usage, storage consumption, private/internal site copying, legal/compliance issues, and the consequences of ignoring robots.txt. That omission increases the likelihood that users will invoke a network-intensive and potentially sensitive operation without informed consent or understanding of operational risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal