Back to skill

Security audit

Auto Scraping to CSV

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent web-scraping tool, but it needs review because its local browser bridge is unauthenticated, can run arbitrary page JavaScript, and documents password-based login without safeguards.

Install only if you are comfortable running an unauthenticated local browser-control service. Avoid pasting passwords into chat, use it only on pages you are authorized to scrape, stop the bridge when finished, and prefer a version that pins its runtime script and adds authentication or localhost-only controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest says 'No external LLM needed,' but the body of the skill explicitly assigns core page understanding and control decisions to Claude. This is a security-relevant misrepresentation because operators may approve or deploy the skill under incorrect assumptions about data flow, model dependency, and where scraped content is sent for reasoning.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation repeats that no external LLM is required, then later describes Claude as the component that interprets DOM state and decides actions. This inconsistency can cause unsafe deployment decisions, especially in environments with strict data handling or offline-only requirements.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs users to provide login credentials to continue scraping authenticated pages, expanding the skill from public-page scraping into credential handling. Without explicit safeguards, storage limits, masking, or secure auth alternatives, this creates a significant risk of credential exposure, replay, or accidental logging by the agent, bridge, or model.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The bridge exposes an executeJavascript action that forwards arbitrary script text into the browser page context with no authentication, allowlist, or purpose restriction. In a scraping skill, this materially expands capability from reading page state and interacting with elements to arbitrary code execution on any loaded site, enabling data exfiltration, destructive DOM changes, and abuse of authenticated browser sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /shutdown endpoint allows any caller who can reach the bridge to terminate all sessions and stop the server without authentication. This creates a trivial denial-of-service path unrelated to the stated scraping/export function and can interrupt active automation or destroy in-progress work.

Missing User Warnings

High
Confidence
92% confidence
Finding
The examples explicitly include scraping company names, emails, social engagement, job data, and real-estate details, but there is no warning about collecting and exporting personal or sensitive data. In a scraping skill, that omission materially raises privacy, compliance, and misuse risk because the tool is designed to bulk-extract and save structured records.

Missing User Warnings

High
Confidence
97% confidence
Finding
The credential prompt tells users to provide username and password without any safety guidance about secret handling, retention, masking, or safer alternatives. In an agent environment, this can lead to credentials being exposed in transcripts, logs, prompts, bridge telemetry, or downstream systems.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
{ "action": "executeJavascript", "params": { "script": "return document.title;" } }
```

### `DELETE /sessions/:id`
Close session.

### `POST /shutdown`
Confidence
95% confidence
Finding
DELETE /sessions/:id`

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.