ClawHub
Back to skill

Security audit

Panscrapling Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is an openly disclosed web scraper, but it can bypass anti-bot protections and automatically install persistent system/browser dependencies during normal use.

Install only if you intentionally need this level of scraping capability, are authorized to automate the target sites, and are comfortable with first-use installation of system tools, Python packages, and browser binaries. Prefer running it in a sandbox or disposable environment and review setup.py before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 运行 setup.py
    if SETUP_SCRIPT.exists():
        print("📦 Running setup script...")
        subprocess.run([sys.executable, str(SETUP_SCRIPT)], check=False)
        
        # 重新检测
        python_path = find_python()
Confidence
90% confidence
Finding
subprocess.run([sys.executable, str(SETUP_SCRIPT)], check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill exposes network and shell-capable behavior without declaring permissions, which prevents meaningful user review before execution. In this context, the undeclared capabilities are especially relevant because the skill also advertises automatic installation and external downloads, increasing the chance of unexpected system changes or outbound connections.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is web scraping, but the described behavior extends to installing Homebrew, altering the system environment, installing a specific Python version, and falling back to online package installation. That mismatch is dangerous because users may invoke a scraper expecting content retrieval, while the skill performs privileged software-management actions and reaches out to additional supply-chain sources.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Automatically installing Python, Homebrew-managed packages, and browser binaries goes beyond the core task of scraping and creates unnecessary attack surface on the host system. Even if intended for convenience, unattended installation can modify system state, introduce persistence of dependencies, and expose users to supply-chain risk from downloaded components.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Advertising automatic bypass of Cloudflare and anti-bot protections as a primary capability materially increases abuse potential. In this skill context, that feature is not a benign implementation detail; it is a first-class evasion mechanism that can facilitate unauthorized scraping, circumvention of access controls, and violations of site protections.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Very broad trigger phrases like generic requests to fetch or extract web content increase the likelihood that the skill activates in contexts where the user did not intend a powerful scraper with installation and evasion behavior. Because this skill can perform downloads, browser setup, and protected-site scraping, accidental invocation is more dangerous than it would be for a narrowly scoped read-only utility.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description notes automatic installation, but it does not provide a strong, explicit warning that invoking the skill may download software, modify the environment, and install browser components. That lack of clear warning undermines informed consent and can surprise users with network activity and system changes unrelated to a simple scraping request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs an automatic installation step by launching a secondary script as part of normal fetch behavior, with only a generic message. In an agent skill, hidden or implicit installation is risky because users may trigger arbitrary local code execution simply by requesting a scrape, and the skill description explicitly advertises auto-installation and bundled offline wheels, which increases the blast radius.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The fetch logic performs outbound network access, including stealthy and dynamic modes intended to bypass Cloudflare or anti-bot controls, without an explicit runtime warning or policy gate. In a security-sensitive agent environment, this can lead to unauthorized external requests, compliance issues, or misuse of the host as a proxy for evasion-oriented scraping.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal