ClawHub

PulpMiner Web Scraper - Convert Any Webpage to Realtime JSON API

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only guide for using the PulpMiner scraping API, with external data transfer and API-key use disclosed as part of its core purpose.

Install only if you are comfortable sending target webpage content, extraction parameters, and results to PulpMiner. Protect the API key, monitor credit usage, avoid scraping confidential or unauthorized pages, and use Zapier callback URLs only when you trust the destination workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill encourages scraping webpages and supports callback delivery to third-party endpoints, but it does not warn about transmitting scraped data off-platform, handling personal/sensitive data, or obtaining authorization to scrape a target. In an agent setting, this omission can lead users to unknowingly send private or regulated data to external services and webhooks.

External Transmission

Medium
Category
Data Exfiltration
Content
### Static API (fixed URL)

```bash
curl -X GET "https://api.pulpminer.com/external/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>"
```
Confidence
90% confidence
Finding
curl -X GET "https://api.pulpminer.com/external/<apiId>" \ -H "apikey: <PULPMINER_API_KEY>" ``` Returns JSON extracted from the configured webpage. ### Dynamic API (URL with variables) For APIs s

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Static API
curl -X POST "https://api.pulpminer.com/external/zapier/get/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>" \
  -d '{"callbackURL": "https://hooks.zapier.com/..."}'
Confidence
96% confidence
Finding
curl -X POST "https://api.pulpminer.com/external/zapier/get/<apiId>" \ -H "apikey: <PULPMINER_API_KEY>" \ -d '{"callbackURL": "https://hooks.zapier.com/..."}' # Dynamic API curl -X POST "https://

External Transmission

Medium
Category
Data Exfiltration
Content
### Static API (fixed URL)

```bash
curl -X GET "https://api.pulpminer.com/external/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>"
```
Confidence
90% confidence
Finding
https://api.pulpminer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
For APIs saved with template URLs like `https://example.com/search?q={{query}}&page={{page}}`:

```bash
curl -X POST "https://api.pulpminer.com/external/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{"query": "javascript frameworks", "page": "1"}'
Confidence
89% confidence
Finding
https://api.pulpminer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Static API
curl -X POST "https://api.pulpminer.com/external/zapier/get/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>" \
  -d '{"callbackURL": "https://hooks.zapier.com/..."}'
Confidence
96% confidence
Finding
https://api.pulpminer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"callbackURL": "https://hooks.zapier.com/..."}'

# Dynamic API
curl -X POST "https://api.pulpminer.com/external/zapier/post/<apiId>" \
  -H "apikey: <PULPMINER_API_KEY>" \
  -d '{"callbackURL": "https://hooks.zapier.com/...", "query": "value"}'
```
Confidence
95% confidence
Finding
https://api.pulpminer.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Verify authentication:

```bash
curl -X GET "https://api.pulpminer.com/external/n8n/auth" \
  -H "apikey: <PULPMINER_API_KEY>"
```
Confidence
80% confidence
Finding
https://api.pulpminer.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal