ClawHub

网页剪藏工具

Security checks across malware telemetry and agentic risk

Overview

This skill fetches a user-provided webpage and saves extracted text as Markdown, with some documentation gaps but no evidence of hidden or malicious behavior.

Install this only if you want a command-line webpage clipping tool. Provide only URLs you intend to fetch, choose the output directory deliberately, treat saved page content as untrusted text, and avoid setting Feishu credentials unless you intentionally want to test or extend that optional path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises network access and local file writing behavior through its documented usage, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and informed consent, making it easier for a user or host platform to invoke code that fetches remote content and writes files without clear policy gating.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description explains that webpages are extracted and saved as Markdown, but it does not clearly warn users that arbitrary URLs will be fetched over the network and written to local storage. This omission can mislead users about privacy, data transfer, storage side effects, and the risk of saving attacker-controlled content to disk.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
When Feishu output is selected, the script prepares clipped page text and source URL for transmission to a third-party service without any explicit privacy warning or confirmation. In a clipping tool, users may process sensitive internal pages or personal content, so silent remote transfer increases confidentiality risk even though it is user-triggered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal