ClawHub

Facebook Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a Facebook scraper, but it promotes stealth scraping, proxy-based ban avoidance, account use, and collection of contact data without clear safeguards.

Install only if you have clear authorization to collect the targeted Facebook data and have reviewed the actual scraper implementation. Avoid using primary Facebook accounts or sensitive proxy credentials, keep exported contact data tightly controlled, and prefer official APIs or narrowly scoped compliant workflows over stealth or ban-evasion features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly documents scraping, storing, and exporting personal/contact fields such as phone numbers, email addresses, addresses, websites, and engagement data, but provides no privacy notice, lawful-use guidance, retention limits, or data-handling safeguards. In a scraping skill, this omission increases the risk that operators will collect and redistribute personal data without considering consent, jurisdictional restrictions, or downstream misuse.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation instructs users to place proxy usernames and passwords in environment variables and config examples, but does not warn that these are secrets that can leak via shell history, logs, screenshots, committed config files, or process inspection. Because the skill is designed for long-running scraping with third-party proxy services, credential exposure could allow unauthorized proxy use, billing abuse, and infrastructure misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal