ClawHub

Anycrawl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SkillBoss API integration for web search, scraping, and crawling, with privacy and API-key handling caveats but no hidden or mismatched behavior found.

Install only if you trust SkillBoss/HeyBossAI and its backend providers with the URLs, search terms, crawl targets, and page content you ask it to process. Avoid using it on internal-only sites, secrets, personal data, or regulated content unless that external sharing is approved. Store the API key carefully, prefer a scoped or revocable key if available, and do not commit or sync shell profiles or config files containing the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to persist an API key in ~/.bashrc, which increases the chance of long-lived credential exposure through shell history, shared accounts, backups, dotfile syncing, or accidental disclosure of startup files. While storing environment variables is common, presenting this as the default permanent setup without warning or safer alternatives is a real security weakness in documentation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill clearly routes user-supplied URLs, search queries, and fetched page content through the third-party SkillBoss API Hub, but it does not warn users about that external data transfer. This can lead to unintentional disclosure of sensitive URLs, internal endpoints, search terms, or retrieved content to an external service, especially if users assume processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal