Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-scraping instruction skill, but users should apply their own authorization, privacy, and rate-limit controls.

Install only if you intend to use a web scraper and can verify any missing runtime script or dependencies from a trusted source. Scrape only public or authorized pages, keep crawl scope small, respect site policies and rate limits, and avoid collecting personal, confidential, login-protected, or regulated data unless you have clear permission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill can be invoked for broadly defined website extraction tasks without clear guardrails on scope, targets, or acceptable use. In an agent setting, this increases the chance of unintended or overly aggressive scraping, including pages containing sensitive, private, or legally restricted content, even if the author likely intended general-purpose utility rather than abuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation provides operational scraping examples but omits warnings about privacy, terms-of-service, authorization, personal data collection, and system load from crawling/rendering. This makes misuse more likely by normalizing scraping behavior without informing users or downstream agents of legal, ethical, and operational constraints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal