ClawHub
Back to skill

Security audit

Ghost Closer Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This scraper appears useful for business data collection, but it uses a live Chrome session and local environment file in ways that are not clearly disclosed.

Review this skill carefully before installing. Use it only in an isolated browser profile with no personal logins, remove or inspect any hard-coded .env loading, and confirm which domains it will contact before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet its own documentation indicates access to local environment data and external network resources. This is dangerous because an agent or user may invoke it without understanding that it reads a local `.env` path and performs web scraping/network activity, creating avoidable data exposure and trust-boundary issues.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior omits several materially sensitive actions: attaching to an existing Chrome instance over CDP, loading a specific local `.env` file, and scraping the business website beyond the stated sources. These hidden capabilities expand the skill's effective privileges and can expose local session data, secrets, or unexpected third-party interactions, especially because connecting to an already-running browser can access authenticated state.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code loads a hard-coded local .env file from a specific user path even though the stated function is web scraping. This can import unrelated secrets into the process and, combined with browser automation and arbitrary website access, increases the chance of unintended credential exposure or misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Connecting to an existing Chrome instance over CDP gives the script access to the user's live browser context, including cookies, authenticated sessions, open tabs, and browsing data well beyond the declared scraping task. In this skill, that means scraping can occur under the user's logged-in identities on Google, Facebook, or other sites without isolation or consent boundaries.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it scrapes Google Maps, Facebook, and Instagram, but the code also visits arbitrary business websites and extracts menu/services data. This scope expansion creates undisclosed outbound access and can reach untrusted domains, increasing privacy, compliance, and attack-surface risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell an agent to execute `python scraper.py ...` but do not warn that this runs local code, reads local configuration, and issues external network requests. In an agent setting, that omission can lead to silent execution of potentially sensitive actions without informed consent, increasing the risk of unintended data exposure or policy violations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Loading a local .env file that may contain credentials without any disclosure is a security and transparency problem. Even if the current code does not explicitly print secrets, importing credentials into memory is unnecessary for this task and creates avoidable exposure if later code, dependencies, or logs access them.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using an existing Chrome debugging session allows the skill to operate with the user's active authenticated browser state, effectively scraping live browser data without clear warning. In the context of social platforms and maps, this can expose private account information, session-derived content, and data not intended for the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill makes outbound requests to multiple third-party services and to arbitrary websites discovered during scraping, but there is no clear upfront disclosure in the code path about this network activity. While web scraping inherently requires network access, the lack of transparency is risky in an agent skill because users may not expect the breadth of destinations contacted.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal