Skillv0.1.2

ClawScan security

Scrapling MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 10:43 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with a web-scraping guidance + MCP integration tool; it asks for no unrelated credentials or elevated platform privileges, but its anti-bot/stealth guidance can be misused and should only be used with permission.
Guidance: This skill appears to be a legitimate guidance layer + helper scripts for using Scrapling via MCP. Before installing/using it: 1) Verify you have permission to scrape target sites — do not use stealth or proxy rotation to evade protections, bypass paywalls, or access private data. 2) Inspect any proxy strings or Authorization headers you paste into configs; never store real credentials in public places. 3) The skill instructs installing third‑party packages (scrapling, playwright) — prefer installing those into a controlled virtualenv. 4) The SKILL.md links refer to GitHub repos/docs; confirm those projects are the official upstream sources you expect. If you need higher assurance, request the upstream package source and a checksum for the scrapling wheel or review the pip package metadata before installing.

Review Dimensions

Purpose & Capability: okName/description (Scrapling MCP guidance) align with the provided files and instructions: SKILL.md, reference docs, and helper scripts all focus on scraping, MCP setup, fetcher selection, spiders, proxies and anti-bot handling. No unrelated env vars, binaries, or platform access are requested.
Instruction Scope: noteRuntime instructions and examples legitimately show installing scrapling/playwright, configuring an MCP server, calling mcporter, and using fetcher/stealthy/dynamic modes. The instructions include explicit guidance and examples for proxy rotation and 'solve_cloudflare' / stealthy fetchers; those are coherent for advanced scraping but can enable bypassing anti-bot measures if used without authorization — the docs repeatedly note 'use only when authorized', which mitigates but does not remove misuse risk.
Install Mechanism: okNo install specification is included in the registry (instruction-only). The SKILL.md instructs pip installs from known packages (scrapling, playwright) and to run playwright install; helper scripts are shipped with the skill but there is no downloader or remote install URL that would write arbitrary code at runtime.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config-path requirements. Example snippets show proxy URLs (including username:password examples) and an example API Authorization header in a recipe — these are examples only and not requested by the skill; exercise caution when inserting real credentials into proxy strings or requests.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent or cross-skill configuration changes. It does not attempt to modify other skills or system-wide settings.