Back to skill

Security audit

HTML Text Extract

Security checks across malware telemetry and agentic risk

Overview

This skill appears to extract HTML as advertised, but it can also install an unpinned Python package into the host environment when run.

Review before installing. Use this only in a virtual environment or container, or preinstall a reviewed and pinned trafilatura version yourself. The main extraction behavior is coherent, but the automatic pip install with a system-package override is under-disclosed and can alter your Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return
    warn(f"Installing missing packages: {', '.join(missing)}...")
    try:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", *missing, "--break-system-packages"]
        )
    except subprocess.CalledProcessError:
Confidence
96% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", *missing, "--break-system-packages"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except subprocess.CalledProcessError:
        # --break-system-packages may not be supported (e.g. macOS, older pip). Retry without it.
        try:
            subprocess.check_call(
                [sys.executable, "-m", "pip", "install", *missing]
            )
        except subprocess.CalledProcessError:
Confidence
96% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", *missing] )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes invoking a Python script that can fetch remote URLs and execute shell command pipelines, but the skill metadata declares no corresponding permissions. This mismatch is a real security issue because it hides network and shell-capable behavior from any policy or review layer that relies on declared permissions, reducing transparency and potentially allowing unintended data egress or command chaining.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
For a skill whose stated purpose is simple HTML content extraction, runtime pip installation is unnecessary privileged behavior that expands the attack surface beyond the declared function. In an agent setting, this is more dangerous because a benign-looking text-processing tool can unexpectedly download and execute third-party package code on the host.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest describes passive extraction from URL, file, or stdin, but the implementation also changes the host by installing packages. This mismatch is security-relevant because users and orchestrators may grant the skill more trust than warranted, and hidden environment mutation is particularly risky in shared, production, or sandboxed systems.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Automatic package installation without confirmation is a genuine security issue because it causes network access, code retrieval, and code execution from package indexes without explicit operator approval. The skill context makes this more dangerous, not less, because HTML extraction does not inherently require modifying the environment, so this behavior is unexpected and violates least surprise and least privilege.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.