Crawleo Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Crawleo search and crawling integration that sends user-chosen queries or URLs to Crawleo using an API key, with no evidence of hidden persistence, local data access, or credential leakage.

Install this only if you trust Crawleo and the publisher. Treat CRAWLEO_API_KEY as a real account credential, monitor usage and credits, and avoid sending confidential search terms, private/internal URLs, or access-controlled pages unless you are comfortable sharing them with Crawleo.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The contract explicitly defines external API transmission of user queries, URLs, and authentication material, but it does not include any user-facing disclosure, consent, or data-handling warning. In an agent setting, this can cause sensitive prompts, internal URLs, or proprietary targets to be sent to a third-party service without the user clearly understanding that external transmission will occur.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal