ClawHub

Apify Google News Scraper

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for running a Google News scraping workflow through Apify, with expected third-party API use but no hidden local execution or destructive behavior.

Install only if you are comfortable using Apify for news scraping. Use a dedicated or least-privilege Apify token if available, avoid sensitive monitoring topics, review the named Apify actor and its costs/retention behavior, and prefer header-based authentication over putting tokens in URLs when adapting the examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad enough to capture routine requests about reading or summarizing news, causing the agent to invoke this skill in situations where the user did not intend third-party scraping. In context, that broad routing increases the chance that ordinary user prompts and topic interests are unnecessarily sent to Apify, expanding privacy and data-sharing exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes functionality but does not disclose that user search queries are transmitted to Apify and that the resulting dataset may include full article text from third-party sources. This omission is dangerous because users and downstream agents may unknowingly send sensitive topics, monitoring interests, or regulated content to an external processor without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
BASE = "https://api.apify.com/v2"

# Step 1: Start the run
response = requests.post(
    f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}",
    json={
        "searchQueries": ["AI"],
Confidence
95% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Taiwan news in Chinese

```python
requests.post(
    f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}",
    json={
        "searchQueries": ["台灣"],
Confidence
93% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Multiple queries

```python
requests.post(
    f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}",
    json={
        "searchQueries": ["AI", "climate", "crypto"],
Confidence
93% confidence
Finding
requests.post( f"{BASE}/acts/futurizerush~google-news-scraper/runs?token={TOKEN}", json=

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Step 1: Start the run
RUN_RESPONSE=$(curl -s -X POST \
  "https://api.apify.com/v2/acts/futurizerush~google-news-scraper/runs?token=$APIFY_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"searchQueries": ["AI"], "region": "us", "language": "en", "dateFilter": "1d", "maxResults": 10}')
Confidence
96% confidence
Finding
curl -s -X POST \ "https://api.apify.com/v2/acts/futurizerush~google-news-scraper/runs?token=$APIFY_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
import requests, os, time

TOKEN = os.environ["APIFY_API_TOKEN"]
BASE = "https://api.apify.com/v2"

# Step 1: Start the run
response = requests.post(
Confidence
90% confidence
Finding
https://api.apify.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Step 1: Start the run
RUN_RESPONSE=$(curl -s -X POST \
  "https://api.apify.com/v2/acts/futurizerush~google-news-scraper/runs?token=$APIFY_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"searchQueries": ["AI"], "region": "us", "language": "en", "dateFilter": "1d", "maxResults": 10}')
Confidence
95% confidence
Finding
https://api.apify.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Poll until done
while true; do
  STATUS=$(curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID?token=$APIFY_API_TOKEN" \
    | jq -r '.data.status')
  [ "$STATUS" = "SUCCEEDED" ] && break
  [ "$STATUS" = "FAILED" ] || [ "$STATUS" = "ABORTED" ] && echo "Failed: $STATUS" && exit 1
Confidence
90% confidence
Finding
https://api.apify.com/

External Transmission

Medium
Category
Data Exfiltration
Content
done

# Step 3: Fetch results
curl -s "https://api.apify.com/v2/datasets/$DATASET_ID/items?token=$APIFY_API_TOKEN" | jq '.'
```

## Output Format
Confidence
94% confidence
Finding
https://api.apify.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal