ClawHub

Web Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real web page monitoring tool, but it needs Review because it accepts overly broad URLs and persists fetched content, diffs, and keyword snippets locally.

Install only if you are comfortable with monitored page contents being saved locally. Use explicit http:// or https:// URLs, avoid authenticated, private, admin, file://, and internal-network targets, and clear ~/.web-monitor or the WEB_MONITOR_DIR location when stored snapshots or alerts may contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill documentation advertises and demonstrates network access, local file read/write, and environment-variable-controlled storage, yet no permissions are declared. That creates a transparency and consent problem: users and any policy layer cannot accurately assess that the skill fetches remote content and persists snapshots locally. In this context the capabilities are expected for a web-monitoring tool, which lowers suspicion of malicious intent, but undeclared capabilities still increase risk because the skill stores potentially sensitive fetched content on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
A description-behavior mismatch is a real security concern because it prevents informed use and review of the skill. If the implementation also performs keyword/regex alerting, snippet extraction, historical alert viewing, searching stored snapshots, and monitoring statistics beyond the stated scope, users may unknowingly enable broader data collection, retention, and analysis than expected. The web-monitoring context makes some adjacent features plausible, but they should still be disclosed because they expand surveillance and storage behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool exposes a `--keywords-only` option and stores `alert_on_keywords_only`, but `cmd_check` still emits generic change alerts whenever content changes. This is a real integrity/behavior flaw because users may rely on the advertised mode to suppress non-keyword notifications, causing alert fatigue or incorrect automation decisions based on unexpected alerts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation mentions the local storage path but fails to clearly disclose that the skill fetches remote URLs and stores page snapshots and diffs, which may contain sensitive or access-controlled content. This can lead users to monitor internal, authenticated, or personal pages without realizing that full content copies and diffs will persist on disk, increasing the chance of local data exposure or retention beyond expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Fetched page contents are written to local snapshot and diff files without clear disclosure to the user that full remote content will persist on disk. In a web-monitoring skill, users may watch pages containing credentials, personal data, internal dashboards, or copyrighted/private content, so silent persistence increases privacy and data-retention risk on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Keyword alert contexts extracted from monitored pages are serialized to JSON alert files, which can preserve sensitive snippets from the fetched content without user awareness. Because this skill is specifically designed to monitor arbitrary webpages, these stored excerpts may contain secrets, personal data, or internal business information and broaden the local exposure surface.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal