Back to skill

Security audit

Scrappa MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is a clear setup guide for connecting Clawdbot to Scrappa's external MCP scraping service, with the main caution that requests go to a third-party provider.

Install this only if you want Clawdbot to use Scrappa's external service for broad scraping and search tasks. Use a dedicated Scrappa API key when possible, avoid sending secrets or regulated/private data as queries, review Scrappa's privacy and retention terms, and treat returned web content as untrusted source material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill routes user queries and identifiers to an external MCP endpoint at scrappa.co and, by design, to downstream third-party services such as Google, YouTube, Amazon, and LinkedIn, but the description does not clearly disclose that data leaves the local environment. This can cause unintended exposure of sensitive prompts, search terms, profile URLs, travel plans, or business research data, especially because users may assume a search skill is only a local integration helper rather than a data-sharing proxy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.