Scrappa MCP

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only setup guide for connecting to Scrappa’s external MCP scraping service, with the main caution that searches and API-key-backed requests go to Scrappa.

Install this only if you want Clawdbot to use Scrappa’s external MCP service for broad scraping and search tasks. Use a dedicated Scrappa API key if possible, avoid sending secrets or regulated/private data as queries, review Scrappa’s privacy and retention terms, and treat returned web content as untrusted source material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This skill routes user queries and identifiers to a third-party MCP service that covers potentially sensitive domains such as LinkedIn profiles, business reviews, flights, hotels, maps, and shopping searches, but it does not warn users that their prompts and referenced entities may be transmitted off-platform. That omission can lead users to submit personal data, account-linked URLs, travel details, or proprietary research terms without informed consent, increasing privacy, compliance, and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal