Data Spider

Security checks across malware telemetry and agentic risk

Overview

Data Spider is a disclosed external web-scraping helper that uses an AIProx spend token, with no executable install code or hidden behavior found.

Install only if you are comfortable sending target URLs, extraction instructions, schemas, and resulting page content to AIProx and its downstream model provider. Do not use it on private dashboards, authenticated pages, intranet hosts, localhost, cloud metadata endpoints, or sensitive regulated content unless you have confirmed that this is intended and allowed. Protect the AIPROX_SPEND_TOKEN because it may authorize paid usage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill advertises that it can scrape 'any webpage' with no meaningful scope restrictions, allowlist, or user-safety boundaries. In an agent setting, this broad trigger surface can cause over-activation on arbitrary URLs, including internal, sensitive, or policy-restricted destinations, increasing the chance of unintended data access or misuse.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The usage section describes broad use cases but does not define concrete activation boundaries, trigger phrases, or exclusions. Without clear gating, an orchestrator or agent may invoke this skill in contexts the user did not intend, potentially sending arbitrary URLs and page contents to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal