ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real scraping helper, but it needs Review because it teaches AI-assisted bypass of website protections without enough authorization, privacy, or user-control guidance.

Install only if you plan to scrape sites you own or are explicitly authorized to test. Review commands before running package installs, browser downloads, Docker pulls, MCP setup, proxy use, Cloudflare/anti-bot bypass, or robots.txt overrides. Avoid using auto_save, cache, sessions, or MCP on authenticated, private, personal, regulated, or proprietary pages unless you have a clear retention and access-control plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The troubleshooting guidance explicitly recommends setting `robots_txt_obey = False` to improve crawl speed, which encourages bypassing site operators' access preferences and can facilitate unauthorized or non-compliant scraping. In the context of a scraping framework that already emphasizes stealth and anti-bot evasion, this materially increases abuse potential rather than serving a purely diagnostic purpose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes anti-bot bypass, Cloudflare Turnstile circumvention, proxy rotation, large-scale scraping, and AI-directed extraction, but provides no safety boundaries, authorization requirements, rate-limit guidance, or legal/privacy warnings. In an agent skill context, this increases the likelihood that an AI system will help automate unauthorized scraping or evasion against protected services, making misuse materially easier.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The installation guide explicitly says the commands can be auto-executed by AI and then provides package installation commands that download code from external package registries. In an agent skill context, encouraging unattended execution without a warning about network access, package trust, or review increases the risk of supply-chain exposure and unintended external connectivity.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The verification snippets make outbound requests to external sites such as httpbin.org and example.com without warning the user or agent that execution will contact third-party services. In AI-assisted or restricted environments, this can leak metadata, violate network policies, or trigger unintended browsing/automation behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quickstart explicitly demonstrates bypassing Cloudflare protections and automatically solving Turnstile challenges without any warning about authorization, terms-of-service, or legal/compliance boundaries. In a scraping framework aimed at large-scale extraction, this lowers the barrier to misuse and can facilitate unauthorized access patterns or anti-bot evasion by users who may treat the examples as endorsed behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation states that element snapshots are stored in a local database but does not warn that captured page structure or content may include sensitive, proprietary, or personal data and persist on disk. This can lead to unintended data retention, privacy exposure, or insecure local storage practices, especially when scraping authenticated or internal pages.

Ssd 4

Medium
Confidence
94% confidence
Finding
This section provides concrete instructions for bypassing Cloudflare and anti-bot protections, including use of stealth fetchers, Turnstile solving, and behavior tuning to evade detection. In a scraping-focused skill, such guidance operationalizes access-control circumvention and makes misuse against protected sites significantly easier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal