ClawHub

Web Crawling Html API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Just Serp API wrapper for fetching webpage HTML, with privacy cautions around URLs and returned page content.

Install only if you are comfortable sending target URLs to Just Serp API and receiving raw page HTML back. Use it for public or authorized pages, avoid sensitive or internal links, and avoid logging or sharing returned HTML without checking for private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly accepts a user-supplied URL and sends it to an external crawling service to retrieve full raw HTML, but the manifest provides no warning about outbound network access or third-party data transmission. This can lead to unintended disclosure of sensitive URLs, tokens embedded in query strings, intranet addresses, or user-provided private resources, especially if an agent invokes the tool without making the network action clear to the user.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation describes an endpoint that fetches and returns full raw HTML from arbitrary user-supplied URLs, but it does not warn users that responses may contain sensitive page content, tokens embedded in markup, internal application data, or legally restricted scraped material. In an agent skill context, this omission can lead downstream agents or users to fetch untrusted or internal URLs and then process or expose the returned HTML without appropriate safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal