Diffbot Fetch

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should know that submitted URLs and the Diffbot API token are sent to Diffbot.

Reasonable to install if you trust Diffbot for this use. Do not use it with internal, access-controlled, pre-signed, localhost, or sensitive URLs unless sharing those URLs with Diffbot is acceptable, and keep the Diffbot API key scoped and protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill says it can fetch content from any URL, but it does not warn that the requested URL will be transmitted to the external Diffbot API. This can expose sensitive or internal URLs, tokens embedded in query strings, or user browsing targets to a third party, especially if the skill is used on non-public links.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal