OpenClaw Scrapling

The skill is a powerful web scraping tool with legitimate functionality, but it exposes several high-risk capabilities that could be exploited by a compromised AI agent through prompt injection. Specifically, the `scrape.py` script allows arbitrary file writes via the `--output` argument, enables extensive control over network requests (URL, proxy, headers) which could lead to SSRF, and the `SKILL.md` documentation explicitly details how to run custom Python scripts, creating a potential RCE vector if an agent can be prompted to write and execute arbitrary code. While no direct malicious intent or prompt injection is found in the provided files, these capabilities present significant vulnerabilities.