ClawHub

Agentql

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AgentQL browser-automation skill, but it needs review because it can connect to a user's existing browser session without clear safeguards.

Install only if you are comfortable giving an agent browser-automation capability. Prefer a fresh, isolated browser profile for scraping; do not connect it to your normal logged-in browser unless you explicitly want the agent to access that session. Review generated scripts before running them, keep AGENTQL_API_KEY out of source control and logs, and require confirmation before submitting forms, posting, purchasing, deleting, or changing account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly enables web scraping and browser automation but omits any guidance about respecting website terms of service, privacy obligations, rate limits, or operational impact. That omission can lead users to collect restricted data, automate against sites inappropriately, or cause unintended load, making misuse more likely even if the core capability is legitimate.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to place an API key in an environment variable but provides no warning about secret handling, such as avoiding hardcoding, logs, screenshots, shell history leakage, or accidental commits. While environment variables are a common pattern, the lack of credential-safety guidance increases the chance of exposing the key during setup or debugging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal