crawl

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform its stated remote browser crawling function, but its default setup sends API keys and crawl/search data over plain HTTP to a public service and stores results externally.

Review before installing. Prefer a trusted self-hosted or HTTPS OpenCrawl endpoint, do not use the public HTTP server with sensitive URLs or queries, and treat any API key used over the default endpoint as exposed on the network.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Tainted flow: 'API_URL' from os.environ.get (line 16, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: if selector: body["selector"] = selector res = requests.post( f"{API_URL}/api/crawl", headers={ "Authorization": f"Bearer {API_KEY}",
Confidence: 95% confidence
Finding: res = requests.post( f"{API_URL}/api/crawl", headers={ "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json",

Tainted flow: 'API_URL' from os.environ.get (line 16, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: error_exit("OPENCRAWL_API_KEY environment variable not set") try: res = requests.post( f"{API_URL}/api/search", headers={ "Authorization": f"Bearer {API_KEY}",
Confidence: 95% confidence
Finding: res = requests.post( f"{API_URL}/api/search", headers={ "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json",

Tainted flow: 'API_URL' from os.environ.get (line 16, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: error_exit("OPENCRAWL_API_KEY environment variable not set") try: res = requests.get( f"{API_URL}/api/balance", headers={"Authorization": f"Bearer {API_KEY}"}, timeout=10,
Confidence: 94% confidence
Finding: res = requests.get( f"{API_URL}/api/balance", headers={"Authorization": f"Bearer {API_KEY}"}, timeout=10, )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill requires environment variables and makes remote network requests, but it does not declare corresponding permissions. That weakens user awareness and policy enforcement, because the agent can access an API key and communicate with external infrastructure without an explicit capability declaration.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill is presented as a webpage crawler, but it also exposes search, balance, and status operations against remote endpoints. This mismatch can mislead users about the full set of remote actions the skill performs, increasing the chance that they authorize broader behavior than intended.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README directs users to send crawl jobs and receive rendered content through a public third-party server over plain HTTP, but does not warn that submitted URLs, extracted page content, credentials-bearing pages, and related metadata may be visible to or retained by the operator. In this skill's context, the agent is explicitly encouraged to crawl arbitrary pages, which increases the chance that sensitive internal, authenticated, or proprietary content could be exposed to an untrusted service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill states that requests are dispatched to remote browsers and that extracted content is uploaded to Cloudflare R2, but it does not present this as a prominent user warning before use. Users may submit sensitive URLs or page content without realizing that both targets and extracted data leave the local environment and are stored on third-party infrastructure.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The quick-start instructions direct users to send an API key to a public HTTP endpoint rather than HTTPS. This exposes the credential and associated requests to interception or tampering in transit, especially on shared or untrusted networks.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0
Confidence: 94% confidence
Finding: requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal