ClawHub

Smart Crawler

Security checks across malware telemetry and agentic risk

Overview

This is a real crawler toolkit, but it explicitly promotes anti-detection and proxy-based scraping without clear authorization or acceptable-use limits.

Install only if you need a crawler and can enforce your own boundaries. Use it only on sites you are authorized to crawl, keep conservative rates, avoid proxy/anti-detection modes unless explicitly permitted, review scripted browser actions before running them, and install dependencies in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises concrete networked crawling behavior and implies file-producing/data-processing capabilities, but declares no permissions or capability warnings. That mismatch can mislead users and host systems about what the skill will do, reducing informed consent and making risky behavior harder to govern or sandbox.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes anti-bot evasion, proxy pools, request throttling, and User-Agent rotation, but provides no warning about legal restrictions, terms-of-service compliance, authorization requirements, or acceptable-use boundaries. In an agent skill context, this omission can normalize or enable unauthorized scraping and anti-detection behavior, increasing the risk of misuse against third-party sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document promotes proxy use and anti-detection scraping techniques without any warning about legal, policy, or abuse implications. Users may invoke the skill for stealthy collection against third-party sites without understanding that it is designed to evade detection and route traffic through proxies.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill text explicitly markets anti-detection and anti-crawling evasion as core functionality, with no limiting context such as defensive testing, approved data collection, or compliance controls. In this context, the capability materially increases misuse potential because it helps conceal automated scraping activity and bypass operational safeguards on target websites.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal