ClawHub

Olostep

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Olostep web scraping/search skill whose third-party API use and API key requirement are disclosed, but users should apply care with sensitive targets and bulk crawling.

Install this only if you intend to use Olostep as a third-party web data provider. Do not send private, authenticated, regulated, or proprietary URLs or queries unless you have permission and are comfortable sharing them with Olostep. Keep crawls and batches tightly scoped, confirm target-site rules and organizational approval, and avoid personal-data-heavy scraping unless you have a clear lawful basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broad enough to trigger on many ordinary tasks involving live internet information, which can cause the agent to invoke a third-party web scraping/search capability more often than the user expects. That increases the chance of unnecessary external data transmission and accidental use on sensitive or internal-looking targets.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends URLs, queries, and task content to Olostep's external API but does not clearly warn users that their inputs and targets leave the local environment. This can mislead users into sharing sensitive queries, private URLs, or proprietary investigation targets with a third party without informed consent.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill advertises large-scale crawling and batch scraping up to 10,000 URLs without any warning about rate limits, target-site permissions, robots/compliance expectations, or organizational approval. In context, this creates a real risk of misuse, excessive collection, and policy violations even if the capability is legitimate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal