ClawHub

markdown.new/crawl

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only crawler skill that does what it says, but users should avoid using it on private or sensitive URLs.

Use this for public websites or documentation where third-party processing is acceptable. Avoid intranet pages, localhost URLs, authenticated content, presigned links, confidential documents, or URLs containing tokens unless you are comfortable with markdown.new receiving and retaining the crawl output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is broad enough that the skill may activate for loosely related URL-extraction requests and initiate external crawling when the user did not clearly request this specific service. In an agent setting, over-broad activation increases the chance of unintended network actions and unnecessary disclosure of user-supplied URLs to a third-party endpoint.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send target URLs to an external service but does not warn that user-provided URLs, crawl scope, and potentially sensitive internal or private endpoints may be transmitted off-platform. This lack of disclosure is risky because users may provide confidential documentation URLs or internal hosts without understanding they will be shared with a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
### Core Commands

```sh
curl -X POST "https://markdown.new/crawl" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://docs.example.com","limit":50}'
```
Confidence
94% confidence
Finding
curl -X POST "https://markdown.new/crawl" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal