Claw Web Fetch

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web-to-Markdown scraping skill with expected network use and an optional FlareSolverr path that users should treat as a trusted data destination.

Install only if you are comfortable trusting the clawfetch npm package and its dependency tree. Use it only for URLs you intend the agent to fetch, avoid sensitive, authenticated, internal, or tokenized URLs, and configure FLARESOLVERR_URL only to a local or otherwise trusted service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents use of an external FlareSolverr-compatible service for scraping challenge-protected pages but does not explicitly warn that requested URLs and potentially page content, headers, or cookies may be transmitted to that remote service. In a scraping skill intended for agent workflows, this can lead users to unknowingly send sensitive targets or session context to third-party infrastructure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README encourages use of an external FlareSolverr service for bot-protected pages but does not clearly warn that requested URLs, session-derived page content, and potentially sensitive browsing targets will be transmitted to that service. In an agent setting, this can leak internal research targets or sensitive URLs to a third-party or less-trusted local service, creating privacy and data exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal