ClawHub

Web Crawling Markdown API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Just Serp API wrapper that converts a user-provided webpage URL to Markdown, with expected third-party API use but some privacy cautions around sensitive URLs.

Install this only if you intend to use Just Serp API and are comfortable sending each requested URL to that service with your JUST_SERP_API_KEY. Avoid submitting localhost, private-network, signed, account-specific, confidential, or otherwise sensitive URLs unless you have reviewed the provider's data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill forwards a user-supplied URL together with the caller's API key to a third-party service, but provides no disclosure, consent gate, or validation around what destinations may be requested. In an agent setting, this can cause unintended data egress: sensitive internal URLs, tokens embedded in URLs, or private endpoints may be sent to the external API, and the API key is always transmitted to that provider for each request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest provides only a generic description of a web crawling capability and does not define meaningful constraints for when the skill should be invoked. In an agent setting, this can cause over-broad activation on arbitrary user requests and trigger requests to external URLs without sufficient intent validation, increasing the chance of misuse, unintended data transmission, or SSRF-style abuse through user-supplied targets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill sends a user-provided URL to a third-party crawling service, but the manifest does not warn users that their requested target and related request context may be disclosed externally. That lack of transparency is risky because users may unknowingly submit sensitive internal URLs, private documents, or confidential resources to an external provider.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal