Stealth browser abuse
Critical
- Finding
- Browser automation advertises stealth/anti-detection behavior with bot-protection bypass and persistent sessions.
Scrapling Official Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for web scraping, but it explicitly enables stealth anti-bot and Cloudflare/Turnstile bypass with persistent browser sessions, so it belongs in Review rather than auto-approval.
Install or use this only when you are authorized to scrape the target sites. Require explicit approval for stealth bypass, Cloudflare/Turnstile solving, proxy rotation, cookies, browser profile access, persistent sessions, and bulk crawling. Prefer pinned installs and isolated temporary browser profiles.
Publisher note
That's the official skill for the famous web scraping library called Scrapling, so all kinds of automation and browser support are expected. The skill is hosted on the main repo of scrapling as well, so don't say it's evil in any way: https://github.com/D4Vinci/Scrapling/tree/main/agent-skill
Static analysis
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent could evade website anti-abuse systems, violating site terms or laws and creating account, IP, or organizational risk.
Why it was flagged
The skill explicitly directs use for protected sites and advertises bypass of third-party anti-bot protections, which can be misused without strong target authorization controls.
Skill content
description: Scrape web pages using Scrapling with anti-bot bypass (like Cloudflare Turnstile), stealth headless browsing... Use when ... the site has anti-bot protections
Recommendation
Use only on targets the user is authorized to scrape, and require explicit user approval before stealth, Cloudflare/Turnstile solving, proxy rotation, or bulk crawling.
What this means
If a user points the skill at an authenticated browser or supplies cookies, the agent may act with logged-in authority on target websites.
Why it was flagged
The documented options can reuse browser profiles, cookies, proxy credentials, or CDP-controlled browsers if the user supplies them.
Skill content
`cdp_url` ... control real browsers ... `user_data_dir` ... stores browser session data like cookies and local storage
Recommendation
Prefer isolated temporary browser profiles and scoped test accounts; avoid passing real cookies, CDP URLs, or existing user profiles unless necessary.
What this means
A future upstream package or image change could alter behavior after installation.
Why it was flagged
The install path pulls external package/browser dependencies and a mutable latest Docker image, so installed code may differ from the reviewed artifact over time.
Skill content
`pip install "scrapling[all]>=0.4.8"` ... `scrapling install --force` ... `docker pull ghcr.io/d4vinci/scrapling:latest`
Recommendation
Pin exact package and image versions in sensitive environments and review upstream provenance before running force installs.
What this means
Untrusted or overly broad MCP client access could expose URLs, screenshots, cookies, or browser sessions through shared tools.
Why it was flagged
If deployed, the MCP server exposes scraping, screenshots, and persistent session tools to MCP clients, making tool access boundaries important.
Skill content
The Scrapling MCP server exposes ten tools over the MCP protocol ... persistent browser session management
Recommendation
Run the MCP server only locally or in a trusted environment, and restrict which agents or clients can call it.
Medium
What this means
Sessions may retain authenticated or fingerprinted state longer than expected if not closed.
Why it was flagged
Persistent browser sessions are disclosed, but they can keep browser state and stealth configuration alive beyond a single fetch.
Skill content
`open_session` -- Create a persistent browser session ... stays alive across multiple fetch calls
Recommendation
Use short-lived sessions, close them promptly, and avoid persistent stealth sessions unless the user explicitly requests them for a scoped target.