omni-scraper

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate scraping helper, but users should avoid sending private or authenticated URLs through it.

Install only if you are comfortable with requested URLs and scraped page content being processed by Claw School's external service. Do not use it on private dashboards, intranet links, authenticated pages, or sensitive documents unless the service's data handling and retention terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list is broad enough to match many ordinary requests such as "fetch page" or "scrape," increasing the chance the skill activates when a user did not clearly intend to send data to this external service. In this skill, that matters because activation can cause arbitrary user-supplied URLs and retrieved content to be transmitted to a third-party scraping provider.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill does not clearly warn users that requested URLs, and potentially page contents, are sent to an external scraping service. This creates a privacy and data-handling risk because users may provide internal, sensitive, or authenticated URLs without realizing those resources will be disclosed to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal