WebScraper

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web page extraction skill with normal web-request privacy cautions and no hidden code or persistence.

Use this for public pages you are allowed to fetch. Remember that any URL fetch may reveal request metadata to the target site, avoid private/internal/login-required URLs unless you explicitly intend that access, respect robots.txt and site terms, and review the optional npm install before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill instructs agents to fetch arbitrary external URLs and even suggests custom user-agents, retries, and proxy use, but it does not warn that doing so discloses network metadata such as the user's or platform's IP address, user-agent, request timing, and requested URL to third-party sites. This creates a real privacy and operational-risk issue, especially if users supply sensitive or internal URLs, because external servers can log, fingerprint, or correlate requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal