ClawHub

web-to-markdown

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-scraping and image-download skill, but users should avoid using it with private or token-bearing URLs.

Suitable for public webpages and image collection. Do not use it on private, authenticated, internal, signed, or token-bearing URLs unless you are comfortable sending those URLs and fetched content to the listed external services. Choose output directories deliberately and review Python dependencies before installing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly performs network access to third-party services and supports writing downloaded content to local storage, yet it declares no permissions or trust boundaries. This can cause users or orchestrators to invoke it without understanding that it can exfiltrate requested URLs/page content to external services and persist scraped data locally.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is broad enough to match many generic requests about reading web pages, collecting images, or organizing information, which increases the chance the skill is auto-selected in situations where sensitive URLs or copyrighted/private content are involved. Because the skill can contact external conversion services and download files, overbroad routing can lead to unintended data disclosure or unnecessary network/file activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs use of third-party conversion proxies like markdown.new, defuddle.md, and r.jina.ai without warning that those services receive the target URL and may also retrieve and process the page contents on the user's behalf. If used on private links, internal resources, signed URLs, or sensitive pages, this can disclose confidential data to external operators and create an SSRF-like proxying risk through third-party infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends the user-supplied destination URL to r.jina.ai by constructing `https://r.jina.ai/{url}`, which discloses the browsing target to an external third-party service. In a web-scraping skill, users may supply sensitive internal, private, or tokenized URLs; forwarding them without an explicit warning or opt-in can leak confidential endpoints, query parameters, and access patterns outside the user's expected trust boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function forwards the user-supplied target URL to r.jina.ai by constructing a proxy request instead of fetching the page directly. This leaks the user's requested destination and potentially sensitive query parameters to a third-party service without explicit disclosure or consent, which creates a real privacy and data-handling risk even if the code is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal