Skylv Web Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only web scraping skill whose network fetching behavior matches its stated purpose.

Install only if you want an agent to fetch and parse web pages. Do not provide private, internal, authenticated, tokenized, or one-time-use URLs unless you intend them to be fetched, and use the skill only where scraping is permitted by site terms, robots.txt, rate limits, copyright rules, and applicable law.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad enough that ordinary requests about web content, crawling, or HTML parsing could activate this skill unexpectedly. That can cause unintended external fetches and content processing without the user clearly understanding that network access will occur.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to fetch arbitrary URLs but does not warn users that their requested URLs will be sent to an external network-fetching tool. This creates a transparency and privacy risk, especially if users provide sensitive internal, personal, or tokenized URLs assuming they are only being discussed rather than requested over the network.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal