sg-property-scraper

The `scripts/scrape.py` file contains a local file inclusion (LFI) vulnerability. The `--config` command-line argument allows specifying an arbitrary file path, which the script then attempts to open and parse as JSON. This could be exploited via prompt injection against the AI agent to read sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), even if the JSON parsing fails, as the file read itself is an information disclosure risk. Additionally, the `--raw-param` argument allows adding arbitrary URL query parameters, which could be used to target the scraped website with injection attacks.