ClawHub
Back to skill

Security audit

Browse website - Crawls sites automatically and mounts pages as markdown files you can grep, diff, cat, and explore with standard Unix commands — over SSH or HTTP

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only website browsing helper that clearly relies on OpenObj, but users should treat OpenObj as a third-party service that can see requested sites and commands.

Use this for public, non-sensitive websites. Do not send private URLs, confidential search terms, authenticated pages, or regulated data unless you trust OpenObj to process and cache that information; also review commands before using recrawl operations because they can consume credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send both the target domain and arbitrary commands to a third-party service (`openobj.com`) over SSH or HTTPS, but it does not clearly warn that user inputs and browsing targets leave the local environment. This creates a transparency and privacy problem because potentially sensitive research targets, query terms, and command content are disclosed to an external operator.

External Transmission

Medium
Category
Data Exfiltration
Content
All commands in this skill require network access to `openobj.com`.

Use `required_permissions: ["full_network"]` for all SSH and curl commands (they need to reach openobj.com).

## How to Use
Confidence
90% confidence
Finding
curl commands (they need to reach openobj.com). ## How to Use **Preferred: SSH exec mode** (works in terminals with network access): ```bash # required_permissions: ["full_network"] ssh {domain}@op

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# required_permissions: ["full_network"]
# List all pages
curl -s -X POST https://openobj.com/exec \
  -H 'Content-Type: application/json' \
  -d '{"site": "docs.stripe.com", "command": "find /site -type f"}'
Confidence
92% confidence
Finding
curl -s -X POST https://openobj.com/exec \ -H 'Content-Type: application/json' \ -d '{"site": "docs.stripe.com", "command": "find /site -type f"}' # Search for a term curl -s -X POST https://open

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal