ClawHub

Tinyfish Fetch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward TinyFish web-fetch helper, with the main risk that requested URLs and fetched content are sent to TinyFish.

Install only if you are comfortable with TinyFish receiving the URLs you ask it to fetch and processing the resulting page content. Avoid private intranet pages, localhost or cloud-metadata URLs, authenticated links, and URLs containing tokens unless that data flow is approved, and protect the TinyFish API key like any other service credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell commands (`curl`, shell pre-flight check, and helper script usage) but does not declare permissions/capabilities accordingly. This creates a transparency and policy gap: users or platforms may not realize the skill can execute shell operations and make outbound requests, increasing the risk of unsafe execution or improper sandboxing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends user-supplied URLs and associated page-fetch requests to a third-party service (TinyFish Fetch API), but the documentation does not clearly warn users that their requested targets and fetched content are transmitted to an external provider. This can expose sensitive URLs, internal endpoints, tokens embedded in URLs, or confidential browsing targets to a third party without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
## Basic Fetch

```bash
curl -X POST "https://api.fetch.tinyfish.ai" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -X POST "https://api.fetch.tinyfish.ai" \ -H "X-API-Key: $TINYFISH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "urls": ["https://example.com"], "format": "markdown" }'

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal