Scrape

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only web scraping skill with disclosed compliance guidance and an optional third-party scraping API, but users should be careful about what they send to that service.

Before installing, review the external SkillBoss setup guide and any code it provides, use a dedicated API key, and only send public, authorized scraping targets through the managed service. Do not forward login-protected pages, cookies, session headers, secrets, or regulated personal data unless you have explicit authorization and have reviewed the provider's data handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to send scraping requests through a third-party managed service but does not clearly warn that target content, URLs, and potentially authentication-derived request metadata may be transmitted outside the user's local environment. In a scraping context, this can expose sensitive targets, session context, or regulated data to an external processor without informed consent or proper data handling review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal