ScrapeSense.com Developer
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only ScrapeSense API guide is coherent and disclosed, but it covers bulk email, billing, API-key, and webhook operations that should only be used with explicit approval.
This skill appears benign as an instruction-only ScrapeSense API reference. Before using it, confirm any campaign send, billing, API-key, or webhook operation yourself, use the least-privileged API key available, and verify endpoint behavior against the official ScrapeSense developer documentation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or insufficiently reviewed API call could send many campaign emails or change campaign state.
These documented endpoints can approve and send campaign emails in bulk. This is aligned with the skill’s developer API purpose, and SKILL.md includes a human-approval guardrail, but the operations are high-impact if used carelessly.
`POST /campaigns/{id}/approve-all`, `POST /campaigns/{id}/send-all-approved`, `POST /campaigns/{id}/approve-and-send-all`Require explicit user confirmation, campaign IDs, and a reviewed sample before any bulk approval or send operation.
Using these endpoints could create, modify, or revoke API keys or change billing-related settings in the ScrapeSense account.
The skill covers account-level API key lifecycle and billing settings endpoints. These are expected for a developer API skill, but they require privileged account authority.
`GET, POST /developer/keys`; `PATCH, DELETE /developer/keys/{id}`; `GET, PUT /billing/settings`Use least-privileged credentials where possible and require explicit confirmation before changing keys, billing settings, or account configuration.
Webhook misconfiguration could expose ScrapeSense event data to the wrong endpoint or keep sending data after the original task.
Webhook subscriptions and delivery retries can send provider event data to configured callback URLs. This is purpose-aligned, but the artifacts do not specify payload boundaries or webhook authentication details.
`GET, POST /developer/webhooks`; `PATCH, DELETE /developer/webhooks/{id}`; `POST /developer/webhooks/deliveries/{deliveryId}/retry`Configure only trusted HTTPS webhook destinations, verify authentication/signature handling in ScrapeSense documentation, and remove unused webhooks.
Users have less registry-level provenance information for verifying who authored or maintains the skill.
The registry metadata does not provide a source repository or homepage, although the skill itself points users to the ScrapeSense developer portal. Because there is no code or install step, this is a low-risk provenance note rather than a concern.
Source: unknown; Homepage: none
Verify ScrapeSense API behavior against the official developer portal before using privileged account operations.