Back to skill

Security audit

XCrawl

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward XCrawl API helper that sends user-chosen scrape requests to XCrawl, with no hidden installer, persistence, or destructive behavior found.

Install only if you are comfortable sending requested URLs, extraction prompts, and selected options to XCrawl. Avoid using private account pages, session cookies, Authorization headers, internal URLs, or sensitive webhook destinations unless you deliberately intend that data to be processed by XCrawl and any configured callback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages sending user-provided URLs, headers, cookies, and optional webhook settings to a third-party service without an explicit warning about external data transmission or sensitivity of those fields. This can cause unintended disclosure of session tokens, internal URLs, or callback endpoints, especially because the request schema explicitly allows forwarding cookies and custom headers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.