ClawHub

Python Crawler Architect

Security checks across malware telemetry and agentic risk

Overview

This is a crawler-design instruction skill with sensitive but disclosed anti-blocking guidance and no executable installer or hidden behavior.

Install this only if you want crawler architecture guidance. Review any generated crawler before running it, keep API keys and proxy credentials in environment variables, and use the anti-blocking advice only for lawful, authorized scraping that respects robots.txt, rate limits, site terms, and privacy rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Hard-coding an 'Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' header is not a major vulnerability by itself, but it can create unnecessary fingerprinting consistency across requests and misrepresent user locale. In a scraping skill already focused on request disguise, fixed locale headers contribute to stealth-oriented impersonation and can be combined with other evasion behaviors.

Ssd 4

Medium
Confidence
95% confidence
Finding
This workflow operationalizes anti-detection scraping by prescribing a stepwise architecture that includes proxy pools, resumable state, scheduling, layered collection, and full implementation guidance. The danger comes from combining otherwise common engineering components into a reusable evasion playbook that lowers the barrier to harvesting data from targets that may be attempting to block or rate-limit automated access.

Ssd 2

Medium
Confidence
96% confidence
Finding
The skill explicitly advertises '反爬虫对抗' and '规避策略' as a core competency. That framing is risky because it signals support for bypassing anti-bot defenses rather than merely building resilient clients, which can facilitate unauthorized scraping or evasion of access controls.

Ssd 2

Medium
Confidence
97% confidence
Finding
The checklist and best-practice language normalize multiple request-masquerading techniques—UA rotation, proxy rotation, cookie persistence, header spoofing, CAPTCHA handling, and resumability—as standard guidance. In context, this is more dangerous than generic networking advice because the skill is specifically tailored to web scraping and anti-detection operation, enabling practical evasion of site defenses.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal