Back to skill

Security audit

web-fetch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed web-fetching tool, but it uses stealth browser automation on arbitrary URLs and disables Chromium sandboxing without enough user safeguards.

Install only if you specifically need stealth browser fetching. Use it only for sites where automated access is authorized, avoid secrets or internal addresses in URLs, and run it in an isolated environment because it disables Chromium sandboxing while loading arbitrary webpages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly fetches arbitrary URLs using a browser with stealth/anti-bot capabilities, but the documentation does not warn users that requesting third-party URLs transmits network metadata and may expose internal access patterns, credentials in URLs, or sensitive browsing targets. In this context, the omission is more dangerous because the skill is designed to access remote sites and bypass basic anti-scraping controls, increasing the chance that users invoke it on sensitive or policy-restricted destinations without understanding the privacy and compliance implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.