ClawHub

Scrapling - Stealth Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a transparent web-scraping skill, but its anti-bot bypass and arbitrary-URL fetching need careful review before use.

Install only in a trusted, preferably isolated environment. Use it only for sites you own or are explicitly allowed to scrape, treat stealth and Cloudflare-bypass mode as deliberate actions requiring clear user approval for the target site, avoid paywalls or restricted content, and do not start the MCP server unless you understand who can reach the local service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly enables outbound network access to arbitrary URLs for scraping, including stealth and dynamic browser modes, but it does not declare any corresponding permissions. Missing permission declarations weaken policy enforcement and user awareness, making it easier for an agent to perform network actions without explicit approval boundaries. The anti-bot and local MCP server context increases sensitivity because the skill can reach external sites and optionally expose a local HTTP service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file includes a concrete example for bypassing Cloudflare and anti-bot protections via a stealth fetcher, but it does not pair that guidance with prominent authorization, privacy, and legal-use constraints at the point of use. In a skill explicitly designed for scraping protected or JS-rendered sites, this omission increases the chance that an agent or user will apply stealth automation against sites without permission, potentially violating access controls, terms, or privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal