ClawHub

EZCTO Smart Web Reader

Security checks across malware telemetry and agentic risk

Overview

This web-reader skill is not clearly malicious, but it needs review because it can automatically fetch any URL, cache results locally, and upload extracted page data to an external service.

Install only if you are comfortable with automatic URL processing, local cache files, and sharing URLs plus extracted page data with api.ezcto.fun. Do not use it on login-protected, internal, private, signed, or token-bearing URLs unless contribution is disabled and you have reviewed cache retention. Require confirmation before following generated next actions or chained-skill suggestions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The quickstart instructs users to enable exec and filesystem for a skill whose advertised purpose is reading URLs. That unnecessarily expands the skill's privileges from network retrieval to local command execution and file access, increasing the blast radius if the skill is buggy, prompt-injected, or later chained into broader actions.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The documentation says URLs are read automatically with no special commands, but later describes broader workflow execution and extra tool enablement. This mismatch can mislead operators about what the skill will actually do and what permissions it may exercise, undermining informed consent and safe deployment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The README declares a dependency on the `exec` tool for a skill whose primary purpose is reading URLs and caching results. Requiring shell execution materially expands the attack surface because any prompt-influenced workflow or future implementation detail could invoke arbitrary commands, which is unnecessary for a read-only web access helper.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The privacy section asserts that the skill does not store or transmit PII, yet it also states that it sends the requested URL and structured JSON result to the EZCTO API. URLs and extracted page content can themselves contain personal, private, or sensitive data, so this claim is misleading and may cause operators to expose confidential information to a third party without informed consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a web-reading/translation layer, but it silently performs a secondary data-sharing action by uploading derived page data to an external community service by default. This creates a meaningful data exfiltration risk because users and downstream agents may invoke it expecting only local retrieval, while arbitrary webpage-derived structured content is transmitted off-box without explicit consent per invocation.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The Security Manifest states the external endpoint is only api.ezcto.fun, but the workflow also fetches any user-provided URL directly. This is misleading security documentation: operators may rely on the manifest for network exposure review and miss that the skill can contact arbitrary hosts, increasing SSRF, privacy, and policy-bypass risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation claims no sensitive data or PII is transmitted, yet the contribution step uploads extracted structured JSON from arbitrary webpages. If the agent reads authenticated, private, internal, or user-specific pages, the extracted JSON can easily contain personal, confidential, or regulated data, making the claim inaccurate and dangerous.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This example output goes beyond passive webpage-reading and includes prescriptive trading actions, community-joining links, and chaining into additional crypto-analysis skills. In an agent setting, examples often shape downstream behavior, so this can normalize or induce high-risk financial workflows from a skill that is supposed to only return structured page content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation for a nominally read-only URL reader explicitly describes contributing parsed results to a remote EZCTO API and later auto-refreshing content. That expands the skill from passive retrieval into outbound data sharing and autonomous network activity, which can disclose user-requested URLs, fetched content, or derived metadata beyond user expectations.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Claiming there are 'no cloud dependencies for core operations' is misleading when normal execution flow elsewhere documents EZCTO API interaction. Misleading security and privacy claims can cause operators to grant trust or permissions under false assumptions, increasing the chance of unintended data exposure.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The prompt contains conflicting instructions: it says to preserve URLs exactly as found in the HTML, but the validation checklist requires that all URLs be made complete, including relative paths. In a web-reading skill, this ambiguity can cause downstream agents to act on rewritten links rather than source-faithful ones, leading to incorrect navigation, loss of provenance, or accidental access to attacker-controlled absolute URL interpretations.

Vague Triggers

High
Confidence
97% confidence
Finding
The documented triggers are extremely broad and are designed to auto-fire whenever an agent encounters or is about to access a URL, including when a user merely shares a link without explicit instruction. In a web-reading skill with network, exec, and filesystem capabilities, this can cause unintended retrieval, processing, and caching of URLs the user did not clearly authorize, expanding privacy and security exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The changelog explicitly promotes transparent automatic URL access and local caching while stating that the user never needs to know the skill exists. This creates a privacy and governance problem because URLs may contain sensitive tokens, internal hosts, or user-specific data, and writing fetched content to local cache can persist that information without notice or consent.

Vague Triggers

High
Confidence
95% confidence
Finding
Advertising that the system automatically reads any mentioned URL creates an overly broad trigger surface. In practice, that can cause unintended retrieval of attacker-supplied links, internal-only URLs, sensitive references, or links embedded in unrelated conversation, which is especially risky for an agent connected to web and local tools.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quickstart enables web, exec, and filesystem and demonstrates caching and report generation without warning about local writes, retained data, or external processing. Users may unknowingly allow persistent storage of visited content and broader system interaction than expected for a web-reading helper.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The first-use description says the skill fires automatically whenever a URL is mentioned and that OpenClaw reads it without being asked. Overly broad automatic activation can cause unintentional fetching, local storage, and possible upstream transmission of links that the user merely referenced, including internal, signed, or sensitive URLs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Claiming transparent interception for 'any URL' without clear scope or safety constraints is risky in a web-reading skill. In context, this increases the chance of SSRF-style access to internal resources, accidental retrieval of private links, and silent processing of content the user did not intend to share with a third-party API or local cache.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger conditions are broad enough to auto-activate for routine browsing, research, or even a pasted URL. In this skill, broad activation is especially risky because invocation can lead to automatic external transmission and local persistence, so users may trigger network fetches and uploads without realizing this particular skill was selected.

Missing User Warnings

High
Confidence
98% confidence
Finding
The user-facing description emphasizes reading and caching pages but does not prominently warn that structured page data may be uploaded to a community cache service. This lack of informed disclosure undermines consent and can expose sensitive or proprietary content when the skill is used on non-public or session-authenticated pages.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger definitions are broad enough that the skill may be injected for many ordinary conversations involving URLs or vague research requests. In a skill with network, filesystem, and exec access, over-broad invocation increases the chance of unintended data retrieval, persistence, or remote API interaction without the user clearly asking for this specific capability.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example guidance includes a catch-all condition of using the skill whenever the agent would otherwise call web_fetch. That effectively turns a broad, higher-privilege skill into a default path for generic web access, magnifying the risks of autonomous network calls, local writes, and side effects such as remote contribution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat daemon section describes autonomous cache inspection, queued refreshes, skill execution with a refresh flag, and ongoing filesystem/network activity, but does not present a prominent user-facing warning proportional to those side effects. Background operation is especially sensitive here because the skill also has wildcard network access and persistent local storage.

Ssd 3

Medium
Confidence
95% confidence
Finding
The file describes 'transparent infrastructure' that automatically intercepts URL access and hides the skill's operation from the user. Concealed network activity and caching reduce user awareness and oversight, making it easier for the agent to fetch external or potentially sensitive resources in ways the user did not intend or cannot audit.

External Transmission

Medium
Category
Data Exfiltration
Content
tail -f ~/.openclaw/logs/skills/ezcto-smart-web-reader.log

# Test URL directly
curl -s "https://api.ezcto.fun/v1/translate?url=YOUR_URL"
```

---
Confidence
84% confidence
Finding
https://api.ezcto.fun/

Session Persistence

Medium
Category
Rogue Agent
Content
### Cache directory error
```bash
mkdir -p ~/.ezcto/cache
chmod 755 ~/.ezcto/cache
```
Confidence
78% confidence
Finding
mkdir -p ~/.ezcto/cache chmod 755 ~/.ezcto/cache ``` ### Page parsing fails ```bash # Check logs tail -f ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal