ClawHub

Glancify

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed web-page proxy, but users should only send public URLs because requests go through an external ToolWeb service.

Install only if you are comfortable with ToolWeb receiving the URLs you ask it to wrap and potentially fetching their content. Do not use it with private intranet hosts, localhost/cloud metadata addresses, signed links, access-token URLs, or pages requiring authentication unless you have verified the provider's privacy and request-filtering controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill clearly describes a proxy that fetches and wraps arbitrary external URLs, but it does not prominently warn users that any submitted URL and retrieved content will be transmitted to and processed by a third-party service. This creates a real privacy and data-handling risk because users may unknowingly submit sensitive, internal, or credential-bearing URLs to an external operator.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The /view endpoint is explicitly described as a proxy that wraps arbitrary external pages, yet the OpenAPI contract defines only a free-form required string URL and no restrictions on allowed schemes, hosts, authentication context, or safe-use conditions. In an agent-integrated skill, this broad proxy capability can enable server-side request forgery, access to internal or sensitive endpoints, and unsafe retrieval of attacker-controlled content that may then be rendered, summarized, or acted upon by downstream components.

External Transmission

Medium
Category
Data Exfiltration
Content
```json
{
  "status": "success",
  "wrapped_url": "https://api.toolweb.in/tools/glancify/view?url=https://example.com/article",
  "content": {
    "title": "Example Article",
    "glancify_enabled": true,
Confidence
95% confidence
Finding
https://api.toolweb.in/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal