Security audit

Safe Web Fetch for Save Token

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a URL-fetching helper, but its safety claims are undercut by unrestricted outbound fetching and undisclosed third-party URL processing.

Install only if you are comfortable with URLs and fetched page content potentially being processed by Jina Reader, and avoid using it for private, internal, credential-bearing, or sensitive links unless the skill is updated to disclose third-party routing, enforce a real allowlist, and scan all returned content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares no permissions even though its documented behavior clearly involves network access and likely local file reads for configuration. This creates a transparency and policy-enforcement gap: users and orchestrators may approve or invoke the skill without understanding its effective capabilities, which is especially relevant because it fetches remote content and may process local config files.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises built-in URL whitelist validation, but `allowed_domains` is empty, so there is no actual allowlist restriction visible in this configuration. In a web-fetching skill, that gap can allow requests to arbitrary hosts, weakening SSRF protections and making the security claims misleading.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script and printed configuration messaging claim allowlist validation is enabled, but the default configuration leaves `allowed_domains` empty, which means any non-blocked external domain is accepted. This creates a security-model mismatch: users may rely on a restrictive policy that is not actually enforced, increasing SSRF and unintended outbound access risk in agent environments.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code explicitly disables sensitive-data detection for content returned by Jina Reader based on the assumption that third-party-cleaned Markdown is safe. That assumption is unsafe: the fetched page may still contain secrets, internal tokens, embedded credentials, or sensitive excerpts, and the tool will forward and return them without any scanning or blocking.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance is broad enough that normal user requests like 'help me check this URL' could trigger the skill automatically, causing unintended outbound requests. Because the skill sends URLs to a third-party cleaning service by default, over-broad triggering increases the chance of accidental disclosure of private, internal, or user-sensitive links.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description emphasizes safety but does not clearly warn that user-supplied URLs are sent to Jina Reader, a third-party service. This can expose sensitive URLs, query parameters, internal document locations, or access patterns to an external party, and the 'safe' framing may cause users to underestimate that disclosure risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Using Jina Reader sends the requested target URL, and potentially causes page content to be processed by an external third-party service, but the tool does not provide an explicit consent or disclosure step. In an agent skill context, this can lead to inadvertent disclosure of sensitive browsing targets, internal document locations, or regulated data to an external processor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal