Crawl4ai Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web crawling skill; its main risks are normal privacy and site-policy risks from scraping, not hidden or malicious behavior in the provided artifact.

Install only if you trust the PyPI/GitHub project behind the crawl4ai-skill binary. Use narrow page and depth limits, crawl only sites you are authorized to access, respect site terms and robots.txt, avoid sending private/internal URLs to external services, and treat saved crawl output as potentially sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill promotes web search, scraping, site crawling, dynamic-page extraction, and file output but provides no safety guidance on privacy, authorization, robots.txt/terms compliance, crawl-rate limits, or handling of scraped sensitive data. In an agent context, this omission can lead users or autonomous workflows to collect personal/confidential data, overload third-party sites, or persist risky content to disk without clear safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal