Traktor Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a coherent website asset scraper, but it should be reviewed because scraped website data is later placed into shell commands without clear sanitization.

Install only if you are comfortable reviewing its behavior. Use it on sites you are authorized to scrape, preferably from a logged-out or separate browser profile, keep URL batches small, and ensure generated filenames/URLs are sanitized before running curl commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill automates broad website scraping, browser-driven extraction, bulk asset downloading, and local file creation, but provides no guardrails around authorization, robots/ToS compliance, privacy-sensitive content, or storage impact. In context, this is more dangerous because it encourages 'paranoid-level thoroughness' and parallel extraction across multiple URLs, which increases the chance of over-collection, legal/privacy issues, and unintended data retention on the local system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal