ClawHub

Apify

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Apify integration, but it exposes broader account and data-management powers than the scraping workflow clearly describes.

Install only if you want an agent to operate your Apify account and you are comfortable constraining it yourself. Use a revocable least-privilege token if possible, keep APIFY_TOKEN out of logs and prompts, approve each Actor, target site, budget, and limit before running, and do not allow account-limit changes, webhooks, schedules, or deletes unless you explicitly requested them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it is for running Apify Actors and retrieving scrape results, but the OpenAPI spec grants broad management capabilities across actors, storages, webhooks, schedules, users, billing, and limits. This creates a major scope mismatch that could let an agent perform destructive or account-changing actions the user did not intend when invoking a scraping skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The spec exposes `/v2/users/me`, monthly usage, and limits update capabilities even though the skill claims to be for scraping and retrieving actor results. An agent with this skill could inspect private account data or change spending/retention settings, which is unrelated to the user-facing purpose and expands blast radius into billing and account governance.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Webhook and schedule management allow persistent automation and external callbacks, which goes beyond scraping and result retrieval. In an agent context, this can create durable side effects, trigger future runs, or exfiltrate run results to external destinations long after the original user request ends.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Direct mutation and deletion across key-value stores, datasets, and request queues are not necessary for merely retrieving actor results. These endpoints increase the risk of data loss, tampering with run artifacts, or unintended writes/deletes if the agent misinterprets a prompt or is prompt-injected by scraped content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly enables web scraping and crawling of third-party sites but provides no warning about privacy, robots.txt, rate limits, or terms-of-service constraints. In this context, omission of those safeguards can lead users to misuse the tool against external services, increasing legal, ethical, and operational risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The authentication section instructs use of a bearer token but does not warn against exposing the credential in logs, transcripts, shell history, or error output. While the examples do not directly leak the token, lack of handling guidance increases the chance of accidental credential disclosure during normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal