AnyCrawl-API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AnyCrawl API wrapper, with normal privacy and API-key handling cautions for a third-party scraping service.

Install this only if you intend to use AnyCrawl. Use a revocable API key, avoid submitting private/internal URLs or sensitive content unless approved, and set conservative crawl limits to control quota use and scope.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README recommends persisting an API key in ~/.bashrc without any warning about credential exposure, shell history, shared-account risks, or safer secret-storage alternatives. While this is a common convenience pattern, it can lead to long-lived secrets being exposed to other local users, backups, dotfile sync, or accidental publication.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill exposes search, scrape, and crawl capabilities backed by a third-party AnyCrawl service but does not warn users that their queries, URLs, and retrieved page content will be transmitted off-platform. This creates a real privacy and data-handling risk because users may unknowingly send sensitive targets, internal URLs, or confidential content to an external provider.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal