Back to skill

Security audit

Tabstack Extractor

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned Tabstack web extraction helper, with privacy and install-safety cautions but no evidence of hidden, destructive, or deceptive behavior.

Use this skill only for public or approved web pages. Prefer Homebrew, Nix, or an inspected pinned Babashka release instead of piping a remote install script into bash, keep the Tabstack API key secure, and avoid submitting private intranet URLs, URLs containing secrets, or regulated data unless Tabstack processing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs use of shell commands, network access, environment variables, and local file reads, yet it declares no permissions or capability boundaries. This can cause the agent or user to invoke broader system and network actions than expected, reducing transparency and weakening sandbox/policy enforcement around secret handling and outbound requests.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference file documents materially broader capabilities than the stated skill purpose, including research, JSON generation from arbitrary queries, and browser automation. This creates scope ambiguity that can enable unintended use of more powerful actions than users or reviewers expect, increasing the chance of data exfiltration, autonomous browsing, or policy bypass if an implementation exposes these endpoints.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and match many ordinary requests about scraping, extracting article content, product data, or contact information. This increases the chance the skill is auto-invoked in contexts where the user did not intend to send URLs or page content to a third-party service, which can lead to overcollection or unintended data transfer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not prominently warn that supplied URLs and potentially retrieved webpage content are sent to the external Tabstack API. Without a clear disclosure, users may unknowingly transmit sensitive URLs, internal links, or proprietary page content to a third party, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The API reference shows authenticated requests that send user-supplied URLs to an external service, but it does not disclose this data flow or warn that remote content will be fetched and processed by Tabstack. In a scraping/extraction skill, this matters because submitted URLs may contain sensitive query parameters, internal locations, or proprietary targets, and users may not realize their inputs and fetched content are leaving the local environment.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The function sends user-supplied target URLs and extraction schemas to a third-party API without an explicit warning or consent check at execution time. In a skill context, users may assume local scraping, but this implementation causes remote processing of potentially sensitive internal or private URLs, creating privacy and data-handling risk.

Missing User Warnings

Low
Confidence
76% confidence
Finding
This function transmits the requested page URL to a third-party markdown extraction service without an explicit user warning at the point of use. That can expose private browsing targets or internal resources to an external processor, which is especially relevant for an agent skill that may be invoked on sensitive enterprise content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends a user-supplied URL to Tabstack's external API for processing, which is a real data-transmission/privacy issue because users may assume the URL and any reachable page content stay local. In this skill context, external transmission is the core functionality, so the behavior is expected, but the lack of an explicit warning or consent mechanism can still cause unintentional disclosure of sensitive internal URLs or private resources.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script transmits both the user-provided URL and the full schema file contents to an external API without explicit notice. This is dangerous because schemas can encode sensitive business logic, internal field names, or proprietary extraction goals, and users may not realize that both inputs leave the local environment.

External Transmission

Medium
Category
Data Exfiltration
Content
"schema": schema
    }
    
    response = requests.post(f"{TABSTACK_BASE_URL}/extract/json", 
                           headers=headers, json=payload, timeout=30)
    response.raise_for_status()
    return response.json()
Confidence
84% confidence
Finding
requests.post(f"{TABSTACK_BASE_URL}/extract/json", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"url": url
    }
    
    response = requests.post(f"{TABSTACK_BASE_URL}/extract/markdown", 
                           headers=headers, json=payload, timeout=30)
    response.raise_for_status()
    return response.text
Confidence
84% confidence
Finding
requests.post(f"{TABSTACK_BASE_URL}/extract/markdown", headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.