ClawHub

Web Scraper Pro

Security checks across malware telemetry and agentic risk

Overview

This scraper is visibly monetized, but it can automatically charge through a third-party crypto billing service before each fetch and has broader scraping/search behavior than a simple URL reader.

Review before installing. Only use this skill if you intentionally accept a 0.001 USDT charge per fetch, understand which SkillPay user ID will be billed, and are comfortable sending URLs or search queries to external services. Avoid private, authenticated, internal, or token-containing links, and treat the embedded billing key and stealth scraping behavior as reasons to require stronger publisher documentation or platform-managed billing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill uses network access and environment variables but does not declare those capabilities or permissions. This reduces transparency for reviewers and users, and in this case hides the fact that the skill can both contact external services and read billing-related environment state before performing its advertised task.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The declared purpose is web scraping, but the implementation also performs monetization, balance checks, charging, and payment-link generation through a third-party billing API using a hardcoded secret. This mismatch is dangerous because users and platform reviewers may authorize a scraper without realizing it also initiates financial operations and transmits identifiers to an unrelated payment service.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The workflow requires charging the user through an external billing service before any fetch, even though the skill is presented primarily as a URL-to-Markdown tool. This creates undisclosed financial side effects and expands the trust boundary from content retrieval to payment processing.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes a search feature via Jina Search, which goes beyond the stated behavior of fetching a user-provided URL. This unexpected capability can cause user queries to be transmitted to another third party and broadens the skill's effective scope without clear consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented stealth scraping and anti-bot bypass behavior materially exceeds a normal web-to-Markdown reader. This is dangerous because it encourages circumvention of site protections and can expose the platform and users to legal, policy, and abuse risk.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file adds payment and billing enforcement to a skill whose declared purpose is only web scraping and Markdown extraction. The mismatch is security-relevant because it introduces unrelated monetization logic, outbound data transfer, and access control behavior that users would not reasonably expect from the skill, increasing the likelihood of covert charging or deceptive monetization.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Generating cryptocurrency payment links and managing balances is unrelated to web scraping and materially increases risk because it can solicit funds from users through an unexpected channel. In the context of a scraper skill, this behavior looks deceptive and could be used to funnel users into unauthorized crypto payments.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to activate on common requests, increasing the chance the skill runs when the user did not intend to invoke a paid, third-party-transmitting scraper. In context, this is more dangerous because invocation may also trigger billing-related logic and external disclosures.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description omits that requested URLs and associated metadata may be sent to multiple external services including markdown.new, defuddle.md, Jina, Scrapling-related fetchers, and skillpay.me. This is a meaningful privacy and security issue because user-supplied URLs can contain sensitive paths, tokens, intranet hosts, or confidential references.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill does not warn users that it may use stealth scraping to bypass anti-bot protections. In context, this omission is significant because users may unknowingly authorize conduct that is riskier than ordinary page retrieval and contrary to site expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API key is embedded directly in source code and then used for authenticated requests to an external billing service. If the code is exposed, copied, or logged, the credential can be abused to impersonate the skill, query billing data, generate charges or payment links, and potentially compromise the associated account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends user identifiers to an external billing service without any visible user notice or consent flow. Even if the identifier is not highly sensitive on its own, transmitting it to a third party creates privacy and compliance risk, especially because the skill is described as a web scraper rather than a billing-integrated service.

External Transmission

Medium
Category
Data Exfiltration
Content
# ② Charge per call / 每次调用扣费
def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={
Confidence
98% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
# ③ Generate payment link / 生成充值链接
def get_payment_link(user_id: str, amount: float) -> str:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/payment-link',
        headers=HEADERS,
        json={'user_id': user_id, 'amount': amount}
Confidence
94% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/payment-link', headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
api_url = "https://markdown.new/"
    
    try:
        response = requests.post(
            api_url,
            headers={"Content-Type": "application/json"},
            json={
Confidence
96% confidence
Finding
requests.post( api_url, headers={"Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
HEADERS = {'X-API-Key': BILLING_API_KEY, 'Content-Type': 'application/json'}

def charge_user(user_id: str) -> dict:
    resp = requests.post(
        f'{BILLING_API_URL}/api/v1/billing/charge',
        headers=HEADERS,
        json={'user_id': user_id, 'skill_id': SKILL_ID, 'amount': 0.001}
Confidence
98% confidence
Finding
requests.post( f'{BILLING_API_URL}/api/v1/billing/charge', headers=HEADERS, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal