Crawlee

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Crawlee web-scraping guide, with some caution needed around anti-blocking and proxy guidance.

Install this only if you intend to build web scrapers. Use it for sites you are authorized to crawl, set request and rate limits, respect applicable site rules, and protect or purge stored datasets, proxy credentials, cookies, and session state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill’s trigger guidance is overly broad and explicitly includes loosely related phrases, which can cause the scraping capability to activate in situations where the user did not clearly request web scraping or automation. In a security-sensitive domain, that increases the chance of the agent offering or normalizing high-risk collection and anti-detection guidance in inappropriate contexts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill provides operational guidance for anti-blocking, proxy rotation, session persistence, fingerprint randomization, and even 'bypass bot detection' without any accompanying warning, restriction, or compliance framing. In the context of a scraping skill, these features materially enable stealthier collection against site defenses, increasing the risk of abusive scraping, ToS violations, account compromise, or privacy harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal