ClawHub

deep-scout

Security checks across malware telemetry and agentic risk

Overview

Deep Scout is a web-research skill whose network fetching, LLM synthesis, optional Firecrawl/browser use, and local report output match its stated purpose.

Install if you are comfortable with your research queries and fetched web content being sent through search, fetch/crawl, browser, and LLM tools. Avoid secrets, private account pages, regulated data, or confidential internal URLs; use --no-browser or --no-firecrawl for more constrained research, and review generated citations before relying on reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The README asserts specific prompt-injection and shell-sanitization defenses, but this file provides no verifiable implementation evidence for those controls. In a research skill that searches, fetches, and synthesizes untrusted web content, overstating security guarantees can cause operators to trust the tool in higher-risk contexts and underestimate prompt-injection or unsafe content-handling exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to send user queries and arbitrary URLs/content to multiple external services (search, fetch, Firecrawl, browser-assisted extraction, and LLM synthesis) without any explicit disclosure or consent step. That is dangerous because sensitive prompts, internal URLs, or retrieved page contents could be transmitted to third parties unexpectedly, increasing privacy, data-leakage, and compliance risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill supports writing the generated report to an arbitrary file path but does not warn users about local file creation or overwrite behavior. While this is a common feature, in an agent setting it can still cause unintended modification of local files if the path is user-influenced or misunderstood.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal