ClawHub

XCrawl Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward XCrawl web-scraping helper, but it stores the user’s XCrawl API key in a local plaintext config file.

Install only if you trust XCrawl and the xcrawl Python package. Use a dedicated API key, keep scripts/config.json out of shared folders and source control, rotate the key if it is exposed, and do not scrape private, regulated, or unauthorized content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to persist an API key in scripts/config.json, a local plaintext config file, without warning about secret-handling risks. This can expose credentials through source control commits, shared workspaces, backups, or other local processes that can read the file, enabling unauthorized use of the XCrawl account or billing abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists the API key directly into a local JSON config file, which can expose credentials to other local users, backups, source-control accidents, or malware on the host. In a scraping skill context, the key may grant access to a paid third-party service and could be abused for unauthorized usage or quota exhaustion if the file is read by an attacker.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal