ClawHub

Scraper Airbnb Product By Searchurl

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for building Dataify Airbnb scraper requests, but its helper script can print the real API token into a curl command, creating a credential exposure risk.

Review this before installing if you will use a real Dataify token. The skill does not appear malicious, but the helper script can expose the token in terminal output; prefer commands that reference $DATAIFY_API_TOKEN instead of printing the actual value, and avoid sharing generated curl output unless the Authorization header is redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to check for and use DATAIFY_API_TOKEN to build an authenticated request to an external endpoint, but it does not require explicit user notice or consent that credentials and user-supplied parameters will be sent to scraperapi.dataify.com. In an agent setting, this can cause unintended external transmission of potentially sensitive data or use of privileged API credentials without clear authorization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints a fully formed curl command that embeds the bearer token from DATAIFY_API_TOKEN directly into the output. This can leak credentials through terminal scrollback, shell history, logs, CI output, copy/paste into tickets, or shared transcripts, making the token easy to expose even if the underlying network request is expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal