ClawHub

Web Page API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward JustOneAPI webpage fetcher, but users should avoid submitting private URLs and should protect the API token carefully.

Install only if you trust JustOneAPI with the URLs you submit and the fetched page content. Do not use it for private, internal-only, access-controlled, or secret-bearing URLs unless that data sharing is acceptable, and rotate the API token if it may have appeared in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API authentication token is defined as a query parameter and then appended into the request URL, which can expose secrets through logs, browser/history equivalents, proxy logs, monitoring systems, and upstream infrastructure. Even though the request is sent over HTTPS, putting credentials in the URL is an unsafe design because URLs are widely propagated and retained.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill forwards a user-supplied URL to a third-party web-fetching API, enabling arbitrary remote fetching behavior without any validation, restriction, or warning. In skill/agent contexts, this can be abused to retrieve internal, sensitive, or unexpected targets via the external service, creating SSRF-style data access or privacy issues depending on what the backend is willing to fetch.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API requires an authentication token to be sent as a query parameter, which is a known insecure pattern because query strings are commonly logged by servers, proxies, browser history, analytics systems, and monitoring tools. This increases the chance of credential disclosure and unauthorized reuse of the token, especially in a skill that fetches arbitrary user-supplied URLs and may be used across varied environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API documentation encourages sending arbitrary user-supplied URLs to an external web-fetch service, but it does not warn about the privacy and security implications of doing so. In practice, users may unknowingly transmit sensitive internal URLs, personal data in query strings, or bearer-style authentication tokens to a third-party service, which can lead to data exposure or unintended access patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal