Back to skill

Security audit

Web Content Fetcher (WeChat images fix)

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward web-page-to-Markdown fetcher with expected network access, but users should avoid sensitive URLs and install dependencies carefully.

Install this only if you want an agent helper that fetches arbitrary web pages. Use a virtual environment and consider pinning dependency versions. Do not pass private, signed, localhost, internal-network, or confidential URLs unless you are comfortable with them being fetched, and avoid the Jina Reader fallback for sensitive URLs because it sends the target URL to an external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill description and documented behavior do not align: it advertises Jina Reader fallback that is not actually implemented, and it exposes a JSON mode returning additional metadata beyond the promised clean Markdown. Behavior mismatches are dangerous because they can mislead users and orchestration layers about what data is collected, returned, or transmitted, which weakens trust boundaries and can cause unintended data exposure or unsafe tool selection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages fetching arbitrary URLs and documents fallback to an external service (Jina Reader), but it does not warn users that requested URLs and possibly retrieved page content may be transmitted to third parties. In a skill intended for broad use on arbitrary web pages, this omission can expose sensitive URLs, internal links, or proprietary content to external services without informed user consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to activate on common requests like reading, summarizing, or general page understanding, which can cause the skill to run in more situations than users or the system intend. Over-broad activation increases the chance of unnecessary external network access to arbitrary URLs, expanding the attack surface for SSRF-like fetches, privacy leakage, and misuse of remote content retrieval in otherwise local-only tasks.

Unpinned Dependencies

Low
Category
Supply Chain
Content
scrapling
html2text
Confidence
95% confidence
Finding
scrapling

Unpinned Dependencies

Low
Category
Supply Chain
Content
scrapling
html2text
Confidence
93% confidence
Finding
html2text

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.