XCrawl Scrape

Name: xcrawl-scrape
Author: wykings

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill grants broad permissions, enabling system compromise, data

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

XCrawl Scrape: This skill handles single-page extraction with XCrawl Scrape APIs. Default behavior is raw passthrough: return upstream API response bodies as-is.

Actually does

This skill uses `curl` or `node` to interact with the XCrawl Scrape API. It reads an API key from `~/.xcrawl/config.json` and then makes POST requests to `https://run.xcrawl.com/v1/scrape` to initiate scrapes (sync or async) and GET requests to `https://run.xcrawl.com/v1/scrape/{scrape_id}` to retrieve async results.

Threat Analysis

AI Agent Traps ↗Scanned 4/16/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction9 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namewykings/xcrawl-scrape

Registryclawhub

Version1.0.2

PURLpkg:clawhub/wykings/xcrawl-scrape@1.0.2

Downloads1,071

Installs9

Source

Repository ↗

SHA-2567b99e4096f85...

SHA-190a27586f67e...

MD540aa43c8c800...

TLSHb402a593cdf7...

ssdeep192:hLzaiDnD...

Size8,632 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/wykings/xcrawl-scrape

1,071 downloads9 installs

ClawHubDocs

openclaw skills install wykings/xcrawl-scrape

Assessments (4)

AI Agent Traps ↗

Access to sensitive environment variables detectedcriticalcredential theft

Access to sensitive environment variables detected

100% confidenceline 56

${API_KEY}

Arbitrary Command Execution and File System Accesscriticalcommand execution, data exfiltration, persistence, reconnaissance, impact

The skill is granted broad permissions to execute arbitrary `curl` and `node` commands, as well as perform `Read`, `Write`, and `Edit` operations on the file system. This allows for complete system compromise, including data exfiltration, installing persistence mechanisms, and arbitrary code execution.

100% confidenceline 4

allowed-tools: Bash(curl:*) Bash(node:*) Read Write Edit Grep

Server-Side Request Forgery (SSRF) via Webhookhighssrf, data exfiltration, reconnaissance

The `webhook.url` parameter allows the agent to make outbound HTTP requests to an arbitrary, user-controlled URL. This can be exploited for Server-Side Request Forgery (SSRF) to access internal network resources, exfiltrate data, or scan ports.

100% confidenceline 157

| url | string | No | - | Callback URL

Insecure TLS Configuration Optionmediumimpact

The `request.skip_tls_verification` parameter allows disabling TLS certificate validation for outgoing requests. This weakens security by making connections vulnerable to Man-in-the-Middle attacks and could lead to insecure communication practices.

100% confidenceline 125

| skip_tls_verification | boolean | No | true | Skip TLS verification

API Key Read from Local Config Fileinfocredential harvesting

The skill reads the XCRAWL_API_KEY from ~/.xcrawl/config.json using inline Node.js code executed via Bash. While the skill claims to keep the key local, the key is extracted and embedded into shell variables and curl commands, creating potential exposure in shell history, process lists, or logs.

55% confidenceline 52

API_KEY="$(node -e "const fs=require('fs');const p=process.env.HOME+'/.xcrawl/config.json';const k=JSON.parse(fs.readFileSync(p,'utf8')).XCRAWL_API_KEY||'';process.stdout.write(k)")'"

Credential Transmitted to Third-Party External Servicemediumcredential theft

The skill instructs the agent to read a locally stored API key and transmit it as a Bearer token to an external third-party domain (run.xcrawl.com). If the target URL or API endpoint is ever substituted (e.g., via prompt injection in a scraped page), the API key could be exfiltrated to an attacker-controlled server.

60% confidenceline 55

-H "Authorization: Bearer ${API_KEY}" ... curl -sS -X POST "https://run.xcrawl.com/v1/scrape"

SSRF Risk via User-Controlled URL Parameterhighssrf

The skill accepts a user-supplied URL and passes it directly to the XCrawl API as the 'url' field. The API then fetches that URL server-side. If the agent constructs or accepts URLs from untrusted sources (e.g., content from previously scraped pages), this could be used to trigger SSRF against internal services reachable from XCrawl's infrastructure, or to exfiltrate the API key to an attacker-controlled endpoint by setting the url to an attacker server.

65% confidenceline 57

-d '{"url":"https://example.com","mode":"sync","output":{"formats":["markdown","links"]}}'

Arbitrary URL Fetch Enabling Data Exfiltrationmediumdata exfiltration

The skill can be directed to scrape any URL, including URLs containing sensitive data in query parameters or paths. Combined with the webhook feature (which sends results to a caller-specified URL), this could be used to exfiltrate data extracted from internal or sensitive pages to an attacker-controlled endpoint.

55% confidenceline 131

webhook.url: Callback URL ... webhook.headers: Custom callback headers

Inline Node.js Code Execution via Bashmediumcommand execution

The skill instructs the agent to execute inline Node.js code via Bash to parse JSON and extract credentials. While this is declared in the allowed-tools, the pattern of dynamically constructing and executing code from skill instructions is a vector that could be abused if the skill instructions are tampered with (e.g., supply chain attack on the skill file).

50% confidenceline 83

node -e 'const fs=require("fs");const apiKey=JSON.parse(fs.readFileSync(process.env.HOME+"/.xcrawl/config.json","utf8")).XCRAWL_API_KEY;

Indirect Prompt Injection via Scraped Page Contenthighprompt injection

The skill fetches and returns raw web page content (HTML, markdown, JSON) from arbitrary URLs and passes it back to the agent. Malicious web pages could embed hidden prompt injection instructions within their content. The skill's 'Output Contract' specifies returning 'Raw response body from each API call' without sanitization, maximizing the attack surface for indirect prompt injection.

80% confidenceline 160

4. Return raw API responses directly.
- Do not synthesize or compress fields by default.

Upstream Prompt Injection Vectorlowprompt injection

The `output.json.prompt` field allows user-controlled input to be passed as a prompt for JSON extraction to the upstream XCrawl service. If the XCrawl service uses an LLM for this extraction, this could be a prompt injection vector against that service.

100% confidenceline 147

| json.prompt | string | No | - | Extraction prompt

Financial Action: Credit Consumption Without Explicit Consentlowfinancial action

The skill consumes paid credits on each API call. The skill notes this but does not enforce any confirmation step before execution. An agent operating autonomously could exhaust user credits by making repeated scrape calls without user awareness.

50% confidenceline 31

Using XCrawl APIs consumes credits.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/wykings/xcrawl-scrape.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/wykings/xcrawl-scrape)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/wykings/xcrawl-scrape"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/wykings/xcrawl-scrape.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/wykings/xcrawl-scrape.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow