Back to skill

Security audit

XCrawl Crawl

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent XCrawl API helper that uses a local API key to submit user-directed crawl jobs, with no evidence of hidden or destructive behavior.

Install only if you intend to use XCrawl and are comfortable storing an XCrawl API key in ~/.xcrawl/config.json. Keep crawl scopes bounded, avoid sending private/internal URLs, cookies, or authorization headers unless strictly necessary, review webhook destinations, and expect XCrawl credits to be consumed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

External Transmission

Medium
Category
Data Exfiltration
Content
const fs=require("fs");
const apiKey=JSON.parse(fs.readFileSync(process.env.HOME+"/.xcrawl/config.json","utf8")).XCRAWL_API_KEY;
const body={url:"https://example.com",crawler:{limit:300,max_depth:3,include:["/docs/.*"],exclude:["/blog/.*"]},request:{locale:"ja-JP"},output:{formats:["markdown","links","json"]}};
fetch("https://run.xcrawl.com/v1/crawl",{
  method:"POST",
  headers:{"Content-Type":"application/json",Authorization:`Bearer ${apiKey}`},
  body:JSON.stringify(body)
Confidence
88% confidence
Finding
fetch("https://run.xcrawl.com/v1/crawl",{ method:"POST"

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
API_KEY="$(node -e "const fs=require('fs');const p=process.env.HOME+'/.xcrawl/config.json';const k=JSON.parse(fs.readFileSync(p,'utf8')).XCRAWL_API_KEY||'';process.stdout.write(k)")"

CREATE_RESP="$(curl -sS -X POST "https://run.xcrawl.com/v1/crawl" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${API_KEY}" \
  -d '{"url":"https://example.com","crawler":{"limit":100,"max_depth":2},"output":{"formats":["markdown","links"]}}')"
Confidence
90% confidence
Finding
curl -sS -X POST "https://run.xcrawl.com/v1/crawl" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${API_KEY}" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.