ClawHub

Web Site or Domain Name Basic Information Scanner

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its deep scan can follow sitemap links to unexpected hosts and it does not clearly warn users about all external lookups.

Install only if you are comfortable with a scanner that makes outbound requests and sends target-derived domain/IP data to third parties. Use it only on sites you are authorized to scan, avoid running deep scans against untrusted targets from sensitive networks, and prefer an isolated environment until same-origin and private-address protections are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The deep scan follows loc entries from the sitemap and fetches them without verifying they belong to the original target origin. A malicious or compromised site can publish sitemap entries pointing to arbitrary hosts, causing the scanner to make unintended outbound requests and enabling SSRF-style behavior or internal network probing from the environment where the tool runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description advertises comprehensive scanning but does not clearly warn that it will make outbound requests to target sites and third-party services such as DNS, WHOIS, and Google indexing lookups. This matters because users may unknowingly trigger external traffic to sensitive targets or leak queried domains and metadata to third parties.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool sends target-derived data to multiple third parties and local network infrastructure, including ipapi.co, Google, DNS resolvers, WHOIS servers, and the scanned website itself, without any user-facing warning or consent flow. In enterprise or sensitive environments, this can disclose investigation targets, trigger external logging, and create privacy/compliance issues even when the code is functioning as designed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal