XCrawl Map

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed XCrawl integration that sends user-chosen crawl targets to XCrawl using a local API key, with no hidden install, background behavior, or unrelated data access found.

Install only if you are comfortable storing an XCrawl API key locally and sending selected target URLs, regex filters, crawl options, and resulting discovered URLs through XCrawl. Review scope and limits before running, especially for private or sensitive sites, because requests may consume credits and responses may expose discovered paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to send user-provided target URLs, filters, and crawl parameters to XCrawl's external API, but it does not clearly warn that this transmits potentially sensitive reconnaissance targets to a third party. In a security workflow, target domains, path regexes, and crawl scope can themselves be sensitive operational data, so lack of disclosure meaningfully increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal