Scrapping

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a disclosed ScrapeCreators API helper for public social-media data, with normal API-key and data-retention cautions but no hidden execution or exfiltration behavior.

Install only if you intend to let an agent send public handles, URLs, search terms, and similar queries to ScrapeCreators using your API key. Use a dedicated key where possible, set clear result and pagination limits, avoid saving raw bulk datasets unless needed, and delete or protect JSON/CSV exports that may contain personal or sensitive public data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents saving scraped responses to local JSON/CSV files but does not warn that social-media data can include personal data, identifiers, comments, transcripts, or other sensitive content. This increases the chance that operators persist and later mishandle collected data, creating privacy, retention, and secondary disclosure risk even if the source data was public.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal