Web Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web page monitoring skill that stores monitor data locally and only sends webhook or diagnostic data when the user configures or invokes those features.

Install only if you are comfortable with a local tool storing monitored URLs and page snapshots under ~/.web-monitor. Be careful with webhook destinations because monitored URLs and change details leave your machine, and review debug or feedback output before sharing it because it can include local system details or prior feedback text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

Tainted flow: 'feedback_log' from os.environ.get (line 1076, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: feedback_log = STORE_DIR / "feedback.log" ensure_dirs() timestamp = datetime.now(timezone.utc).isoformat() with open(feedback_log, "a", encoding="utf-8") as f: f.write(f"\n--- {timestamp} ---\n{message}\n{sys_info}\n") # Build GitHub issue URL
Confidence: 78% confidence
Finding: with open(feedback_log, "a", encoding="utf-8") as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises and documents capabilities that read/write local files, access the network, invoke shell commands, and potentially inspect environment-dependent tooling, but it declares no permissions. That mismatch prevents informed consent and weakens sandbox/policy enforcement, especially because the skill stores data under ~/.web-monitor, fetches arbitrary URLs, opens browsers, and supports webhooks.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented behavior extends beyond simple web monitoring into feedback logging, debug output, import/export, and generating/opening a local GUI, which increases data handling and execution surface beyond the stated purpose. While not inherently malicious, undisclosed ancillary behaviors can expose local data, surprise users, and create unintended exfiltration or privacy risks when combined with stored monitor contents and debug logs.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The debug command prints local system metadata and recent feedback log contents directly to stdout. In agent or shared-terminal contexts, that can expose sensitive local details or user-supplied feedback contents to downstream logs, transcripts, or other observers beyond the intended troubleshooting use.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation guidance is broad enough that the skill may activate for many ordinary requests involving checking websites, tracking items, or updates, increasing the chance it runs without the user understanding it will persist monitors, fetch remote content, or send webhooks. This is primarily a safety and consent issue rather than a direct exploit, but it can lead to over-collection and unintended external requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill supports sending JSON payloads with monitor metadata, URLs, event details, and potentially page-derived information to arbitrary webhook endpoints, but the description does not clearly warn users that monitored data leaves the local system. In this context, that omission is significant because users may monitor sensitive or account-specific pages, and arbitrary endpoints could receive private URLs, pricing, or content-derived summaries.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Webhook POSTs transmit monitor identifiers, labels, monitored URLs, timestamps, and event details to arbitrary configured endpoints. Because execution-time output does not prominently warn that monitored URLs and event metadata are being sent off-host, users may unintentionally disclose browsing targets, commercial interests, or other sensitive monitoring activity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal