MrScraper
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed API-only scraping skill, but it is designed to bypass anti-bot and captcha blocking and may involve credentials or cookies, so it needs careful review before use.
Install only if you have a legitimate, authorized need for MrScraper. Do not use it to bypass protections on sites you are not allowed to scrape, avoid passing session cookies, and use scoped/expiring tokens while keeping sensitive URLs and private content out of scraping jobs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could scrape sites that are actively trying to block automated access, creating legal, account, IP reputation, or abuse risks for the user.
The skill explicitly enables stealth/IP-rotation scraping to bypass captcha and anti-bot defenses, which is high-risk behavior without visible authorization or target restrictions.
Opening blocked pages through unblocker (stealth browser + IP rotation) ... Use this when direct access is blocked by captcha or anti-bot protections.
Use only on sites you own or are explicitly authorized to scrape, and require explicit user confirmation before using unblocker, proxy, anti-bot, or cookie-based workflows.
If session cookies are supplied, the provider and agent may be able to access private account-specific pages or data, not just public web pages.
The API token is expected, but the documentation also contemplates sending session cookies, which can expose authenticated target-site access through the scraping provider.
required_env_vars: [MRSCRAPER_API_TOKEN] ... Only pass cookies when session-specific content is required.
Do not pass login cookies unless absolutely necessary and authorized; prefer scoped, expiring API tokens and isolated/read-only accounts for scraping.
Sensitive URLs, page contents, or extraction instructions could be shared with the MrScraper service as part of normal operation.
The skill clearly discloses third-party API data flow; this is purpose-aligned, but users should recognize that target URLs, extraction instructions, and scraped content may be processed externally.
Data is sent only to `api.app.mrscraper.com` and `api.mrscraper.com`. Responses may contain extracted page content and scrape metadata.
Avoid using the skill on confidential, regulated, or private pages unless the provider’s data handling terms meet your requirements.
Users may over-trust the tool as safe or acceptable for blocked sites when the target site may prohibit or restrict automated scraping.
The wording promotes 'unblockable' and stealth scraping without visible cautions about authorization, robots.txt, site terms, or legal limits.
Run AI-powered, unblockable web scraping ... tags: [scraping, data-extraction, web-crawling, stealth-browser, web-automation]
Treat the marketing claims as high-risk capability descriptions, not permission to scrape; verify authorization and compliance before use.