v1.0.1

ScrapeSense.com Developer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

This ScrapeSense skill is coherent as an API reference, but it covers bulk email sending and account-level billing/API-key changes without consistently requiring explicit user approval or scoped limits.

GuidanceInstall only if you intend to let the agent help with ScrapeSense developer API work. Before providing any API key, confirm its scope, keep it least-privileged if possible, and require explicit approval for bulk email sends, campaign deletes, billing changes, webhook changes, and API-key creation or revocation.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/endpoints.md

`POST /campaigns/{id}/approve-and-send-all`; `DELETE /campaigns/{id}`; `PUT /billing/settings`; `PATCH, DELETE /developer/keys/{id}`

The endpoint map includes bulk-send, delete, billing-setting, and developer-key mutation operations. These are purpose-aligned for an API developer skill, but they are high-impact actions and the artifacts do not require explicit approval or scoped safeguards for all of them.

User impactIf the agent is given ScrapeSense account access, it could change or delete campaigns, send large batches of emails, alter billing settings, or modify API keys unless the user carefully controls each action.

RecommendationDefault to read-only and preview operations. Require explicit user confirmation with the exact endpoint, resource ID, expected count, cost/credit impact, and reversibility before any send, delete, billing, webhook, or API-key mutation.

Cascading Failures

SeverityMediumConfidenceHighStatusNote

references/capabilities.md

Generate AI emails, review/edit, regenerate one/all, retry failed sends. Approve/send per-email or bulk (`approve-all`, `send-all-approved`, combined approve+send).

Bulk campaign operations and AI-generated emails can propagate a bad prompt, wrong audience, or mistaken approval to many recipients. The SKILL.md includes a sample-email approval guardrail, but users should still treat bulk operations as high impact.

User impactA single incorrect campaign configuration could send many unwanted or inaccurate emails and consume credits.

RecommendationUse previews, small test batches, recipient counts, suppression lists, and explicit human approval before any bulk generation, approval, retry, or send.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The package has no code or install step, so there is no hidden dependency evidence, but the registry provenance is limited and should be checked before relying on the endpoint reference.

User impactThe endpoint documentation could be stale or unofficial if it is not verified against the real ScrapeSense developer portal.

RecommendationCompare the referenced endpoints and workflows with ScrapeSense's official developer documentation before using the skill for account-changing operations.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Get your key from https://scrapesense.com/developer ... Core Capability Areas ... Billing ... Developer APIs: API keys, webhook subscriptions

The skill expects use of a ScrapeSense API key and covers account-level billing, API-key, and webhook management, while the registry metadata declares no primary credential or required environment variables. This leaves the needed privilege scope unclear.

User impactA user may not realize that using the skill with an API key can expose broad ScrapeSense account authority, including billing and developer-key administration.

RecommendationDeclare the credential requirement and recommended scopes clearly. Separate read-only API use from administrative operations, and require separate approval for API-key, webhook, and billing changes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

references/endpoints.md

`GET, POST /developer/webhooks`; `PATCH, DELETE /developer/webhooks/{id}`; `POST /developer/webhooks/deliveries/{deliveryId}/retry`

The skill documents webhook subscription and delivery-retry endpoints. Webhooks are purpose-aligned for developer automation, but they create external callback/data-flow boundaries that should be explicitly controlled.

User impactWebhook configuration mistakes could send ScrapeSense event data to the wrong endpoint or retry deliveries unexpectedly.

RecommendationOnly configure webhooks to user-approved HTTPS endpoints, verify ownership of callback URLs, and confirm what event data will be sent before creating or retrying webhook deliveries.