ClawHub

Decodo Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Decodo web-scraping skill that sends user-chosen searches or URLs to Decodo using a Decodo API token, with no hidden persistence or destructive behavior found.

Install only if you are comfortable sharing submitted URLs, search terms, video IDs, and returned scraping requests with Decodo. Use a dedicated Decodo token, keep it out of shared repos, avoid sensitive internal URLs or regulated data, and pin dependencies in controlled or production environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages users to submit arbitrary URLs and search queries, but it does not prominently warn that those inputs and the fetched page contents are transmitted to Decodo's third-party scraping API. This can lead to unintended disclosure of sensitive URLs, internal resources, search terms, or scraped data to an external processor, which is especially risky in agent workflows where users may not realize data leaves the local environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill forwards arbitrary user-provided queries or URLs, along with an authorization token, to a third-party external scraping API. In a skill context, this creates a real privacy and data-governance risk because users may not realize their inputs are being transmitted off-platform, and supplied URLs may reference sensitive internal resources if upstream controls are weak.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
96% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal