ClawHub

Scrapling Fetch

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web-scraping skill, but it needs Review because it can bypass site protections, forward URLs to third parties, charge a billing account, and contains a crafted-URL code execution bug.

Install only if you intentionally need authorized scraping of public pages and are comfortable with browser automation dependencies. Avoid private, internal, token-bearing, or untrusted URLs; avoid the paid script until the hardcoded API key, explicit charge confirmation, and URL code-injection bug are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(json.dumps(result, ensure_ascii=False))
"""
    
    result = subprocess.run(
        [VENV_PYTHON, "-c", code],
        capture_output=True,
        text=True,
Confidence
97% confidence
Finding
result = subprocess.run( [VENV_PYTHON, "-c", code], capture_output=True, text=True, timeout=120 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(json.dumps(result, ensure_ascii=False))
"""
    
    result = subprocess.run(
        [VENV_PYTHON, "-c", code],
        capture_output=True,
        text=True,
Confidence
97% confidence
Finding
result = subprocess.run( [VENV_PYTHON, "-c", code], capture_output=True, text=True, timeout=120 )

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The tool explicitly advertises anti-bot bypass and uses a `StealthyFetcher` for sites identified as protected. In an agent skill, this meaningfully increases abuse potential by enabling automated access patterns designed to evade site defenses and consent boundaries.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The scraping path uses a dynamically constructed Python snippet executed in a subprocess, giving the tool a code-execution capability far beyond ordinary fetching. Because the snippet interpolates untrusted URL data, this becomes a realistic code-injection vector rather than merely an architectural smell.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises 'automatic charging' and shows a paid invocation flow, but it does not place a clear spending warning at the point of use beyond the price mention elsewhere. In an agent/skill context, hidden or insufficiently prominent spend implications can lead to unintended charges by users or automated systems invoking the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes external billing API calls that transmit a user identifier and API key to a third-party service, but it does not warn about data handling, retention, or privacy implications. In a skill ecosystem, this omission can cause operators to unknowingly expose identifiers or secrets to external infrastructure.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes very broad phrases such as generic web-fetching and access-failure terms, which can cause the skill to be invoked in contexts the user did not specifically intend. In this skill, that risk is amplified because the tool is designed to fetch arbitrary URLs and route requests through anti-bot bypass mechanisms, increasing the chance of unintended third-party requests and data exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation references Jina Reader and external billing endpoints but does not clearly warn users that requested URLs, fetched content, and possibly identifiers may be transmitted to third-party services. This is dangerous because users may submit sensitive or private URLs under the assumption that processing is local, resulting in unintended disclosure to external providers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends `user_id` and billing events to an external service without any visible user notice, consent flow, or minimization in this file. In a skill context, hidden transmission of identifiers to third parties can create privacy, compliance, and trust issues, especially when tied to payment activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The requested browsing target is forwarded to `r.jina.ai`, meaning user-supplied URLs and potentially sensitive research targets are disclosed to an external service. In a fetching skill, undisclosed third-party relaying materially increases privacy and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal