ClawHub

web-recon

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web security scanner, but it actively probes targets and sends some target details to third-party services without strong scope or consent controls.

Install only if you need an active dual-use web security scanner. Use it only on systems you own or have explicit permission to test, review the enabled modules before running a full scan, avoid providing SHODAN_API_KEY unless you want Shodan enrichment, and treat the output directory as sensitive because reports can include discovered secrets and vulnerability details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is explicitly positioned for pentesting, bug bounty, port scanning, subdomain enumeration, directory bruteforce, and vulnerability discovery, yet it does not present a clear warning that these actions are active and potentially intrusive. Without an upfront warning and authorization requirement, users or downstream agents may treat it like passive analysis and launch scans against targets they are not permitted to test, creating legal, operational, and abuse risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation explicitly promotes active reconnaissance and vulnerability-scanning tools such as nmap, gobuster, ffuf, nikto, wpscan, and nuclei, but provides no warning that their use against third-party targets may be unauthorized, disruptive, or illegal. In the context of a skill marketed as a website vulnerability scanner for 'any website,' the omission lowers friction for misuse and makes unsafe or unauthorized scanning more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically performs outbound requests to the user-supplied URL and then fetches additional linked JavaScript resources discovered in the page, without any explicit consent prompt or clear warning that third-party hosts may be contacted. In a security tool this can expose internal or sensitive URLs to the local environment, trigger unintended scanning of external infrastructure, and cause surprise network activity beyond the single URL the user may expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the resolved target IP to ip-api.com over plain HTTP without clearly disclosing that scan target data is being transmitted to a third party. This creates privacy and operational-security risk because user targets and reconnaissance activity may be exposed externally, and the HTTP transport adds interception/tampering risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Shodan lookup transmits the target IP to an external service and uses an API credential, but the script does not prominently disclose this behavior or require explicit consent. In a recon tool, that can leak customer targets, create audit/compliance issues, and expose usage metadata to a third party.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal