Website Scraper Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed single-page web scraper, with expected network and package-install behavior but some privacy and scoping caveats.

Install only if you want a tool that fetches user-supplied web pages through Crawl4AI. Avoid private, internal, authenticated, or sensitive URLs unless you are authorized and comfortable with the destination seeing request metadata such as IP address, user agent, headers, and timing.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to execute a local Python script that uses network access to retrieve arbitrary user-supplied URLs, and `uv run` may also read environment configuration during execution. Because the skill declares no permissions, there is no explicit trust boundary or operator visibility around those capabilities, which can enable unintended outbound requests, access to internal-only endpoints, or environment-influenced behavior.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal