Back to skill

Security audit

Korean Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Korean-site scraping skill, but it uses stealth browsing with weakened browser protections and insufficient destination controls.

Install only if you are comfortable running a stealth scraper that contacts third-party sites and weakens Chromium isolation. Use it in a disposable or sandboxed environment, avoid private/internal URLs, verify site authorization and terms, and prefer a patched, locked Playwright dependency set before running npm install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents use of environment variables such as HEADLESS, SCREENSHOT, WAIT_TIME, and USER_AGENT, which indicates runtime capabilities that are not explicitly declared in permissions. Undeclared capabilities reduce transparency for operators and make it harder to assess what inputs can influence execution, especially when those variables affect browser automation, data collection behavior, and persistence of artifacts like screenshots.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior does not accurately match the stated scope: it includes Naver Cafe scraping not called out in the top-level description, claims Instagram support without corresponding implementation, and presents multiple site-specific scrapers under a broader label. This mismatch can mislead users and reviewers about what targets and data flows are actually supported, which weakens security review and compliance assessment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The extractArticle function accepts any user-supplied URL and then loads it in a stealth browser context, even though this skill is presented as a Daum news scraper. This creates an SSRF-style capability and expands the scraper into a generic browser fetcher that can reach unintended internal or sensitive endpoints, especially dangerous if the agent runs in a trusted network or with authenticated browser state.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The extract path accepts any user-supplied URL and immediately opens it in a stealth browser, even though the skill is described as a scraper for specific Korean sites. That scope mismatch can turn the skill into a generic arbitrary-site fetcher/browser, enabling misuse against unintended targets, internal endpoints if reachable from the runtime, or sites with stricter legal and operational boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The extractArticle function accepts any user-supplied URL and passes it directly to page.goto(), while the skill is described as a scraper for specific Korean sites. This creates a scope-expansion issue that can be abused to make the agent browse arbitrary destinations, including internal services or unexpected third-party sites, especially dangerous if the runtime has network access beyond the public web.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The code comments frame this as removing unnecessary text, but the implementation also strips redistribution and copyright notices from article content. Removing rights-management language can facilitate downstream misuse of scraped content and indicates behavior that bypasses publisher-imposed attribution or reuse constraints.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly advertises anti-bot evasion features such as hiding navigator.webdriver, stealth plugins, user-agent randomization, human-behavior mimicry, and Cloudflare bypass timing. Even though it mentions ethics and rate limiting, the combination of scraping plus evasion materially increases legal, platform-enforcement, privacy, and abuse risk because it is designed to circumvent access controls rather than operate transparently.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script launches a stealth browser and performs live network requests to Coupang without any explicit user-facing disclosure, confirmation, or boundary checks on what URLs may be fetched. In an agent-skill context, hidden browsing behavior is risky because it can surprise users, violate operator expectations, and enable opaque collection of third-party content under anti-bot evasion behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This is the same underlying issue as SDI-1: the function fetches arbitrary user-provided URLs with no validation, warning, or confirmation. In an agent context, silent navigation to arbitrary URLs increases the risk of SSRF-like behavior, unintended access to sensitive endpoints, or abuse of the scraper as a general-purpose browsing primitive.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "무펭이",
  "license": "MIT",
  "dependencies": {
    "playwright": "^1.41.0",
    "playwright-extra": "^4.3.6",
    "puppeteer-extra-plugin-stealth": "^2.11.2"
  }
Confidence
91% confidence
Finding
"playwright": "^1.41.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "playwright": "^1.41.0",
    "playwright-extra": "^4.3.6",
    "puppeteer-extra-plugin-stealth": "^2.11.2"
  }
}
Confidence
91% confidence
Finding
"playwright-extra": "^4.3.6"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "playwright": "^1.41.0",
    "playwright-extra": "^4.3.6",
    "puppeteer-extra-plugin-stealth": "^2.11.2"
  }
}
Confidence
94% confidence
Finding
"puppeteer-extra-plugin-stealth": "^2.11.2"

Known Vulnerable Dependency: playwright==1.41.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
97% confidence
Finding
playwright==1.41.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/coupang.js:117

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/daum-news.js:51

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/naver-blog.js:50

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/naver-cafe.js:62

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/naver-news.js:51