Sitemap Content Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed public sitemap scraper that saves chosen public pages locally, with the main caution being to keep the scrape scope and output folder intentional.

Install only if you want an agent to fetch public website pages and save them as local Markdown. Provide a narrow sitemap or include filter, consider a page limit for large sites, choose an output folder you are comfortable writing to, and treat scraped page text as untrusted source material.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes Python scripts that perform outbound network access and write scraped content to local storage, but it declares no corresponding permissions. This creates a capability-transparency gap: a caller or policy engine may treat the skill as low-privilege even though it can fetch arbitrary public URLs and persist data, increasing the risk of unexpected network use, SSRF-like targeting attempts against insufficiently validated hosts, or unintended file writes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal