CrawlHub

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only API integration for CrawlHub, with expected credential and scraping guidance but some areas users should supervise carefully.

Install only if you trust CrawlHub and intend to use it for authorized public-data collection. Keep credentials and tokens out of prompts and logs where possible, use least-privilege keys, monitor billing, and require explicit approval before any team, API-key, subscription, profile, write, or delete operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill promotes large-scale extraction from social and messaging platforms, anti-bot circumvention, and delivery to external sinks without any privacy, terms-of-service, or lawful-use warning. That omission increases the chance that users or downstream agents will collect, transfer, or operationalize personal data in ways that create privacy, compliance, and reputational risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The authentication section tells users to submit email/password credentials and use bearer and refresh tokens, but it does not warn against exposing secrets in prompts, logs, screenshots, shared notebooks, or third-party tooling. Because the skill also references team API keys and administrative endpoints, poor secret-handling guidance could directly lead to account takeover or unauthorized API use.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal