ClawHub

Dataify Web Unlocker

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Dataify API wrapper, but users should avoid sending private URLs, cookies, or headers unless they intentionally want Dataify to receive them.

Install only if you intend to use Dataify as a third-party web-fetching service. Treat DATAIFY_API_TOKEN like a password, rotate it if exposed, and do not send authentication cookies, Authorization headers, internal URLs, private account pages, or regulated data unless you understand that Dataify may receive them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description contains broad activation language such as using the skill whenever a page is difficult to retrieve or needs rendering/headers/cookies, which could cause the agent to invoke it for common browsing tasks without sufficiently narrow user intent. In context, that matters because this skill can transmit arbitrary URLs, headers, and cookies to an external service, increasing the chance of unintended data disclosure or overuse of a powerful network capability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to store and use `DATAIFY_API_TOKEN` but does not clearly warn that this credential is transmitted to Dataify as an authorization bearer token on every API call to a third-party service. This omission can mislead users about the trust boundary and cause them to disclose secrets to an external provider without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation says `headers` and `cookies` are passed through as raw strings to the API, but it does not warn that these values may contain session tokens, CSRF tokens, or other sensitive identifiers that will be transmitted to a third-party service. In this skill's context, that creates a real risk of credential or session leakage because users may copy browser-derived headers/cookies to bypass site protections.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script forwards potentially sensitive inputs including the target URL, custom headers, and cookies to an external API without any explicit disclosure, confirmation, or guardrails. In an agent-skill context, this is more dangerous because callers may assume the fetch happens locally and may unknowingly send session cookies, auth headers, internal URLs, or other confidential request metadata to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
& ".\scripts\invoke-dataify-web-unlocker.ps1" -Url "https://example.com" -DryRun
```

## Raw curl fallback

If the user explicitly wants the raw request, use `curl.exe` in PowerShell, not `curl`, to avoid the PowerShell alias ambiguity.
Confidence
89% confidence
Finding
curl fallback If the user explicitly wants the raw request, use `curl.exe` in PowerShell, not `curl`, to avoid the PowerShell alias ambiguity. Before calling the API, check the token: ```powershell

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal