ClawHub

Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only web scraping skill with disclosed, purpose-aligned capabilities, but users should apply careful legal, privacy, and rate-limit judgment.

Install only if you intend to scrape public or otherwise authorized websites. Keep crawl depth and request rates conservative, respect robots.txt and site terms, avoid private/authenticated or personal data unless you have a clear lawful basis, and do not use proxies or user-agent rotation to bypass access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The command triggers are generic natural-language phrases like "scrape [URL]" and "get table from [URL]", which can overlap with ordinary user requests and cause the skill to activate unexpectedly. In a scraping-capable skill, unintended activation can lead to network access, collection of third-party data, or site crawling without clear user consent or sufficient safety checks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises broad web scraping and crawling features, including proxy support, export formats, and configurable request rates, but does not warn about privacy risks, sensitive-data collection, terms-of-service issues, or the potential impact of automated requests on target systems. This omission increases the chance that users invoke scraping in unsafe or noncompliant ways, especially because the capability set enables scaled collection and redistribution of website data.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal