Decodo Scraper
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate Decodo web-scraping wrapper, but it sends requested searches and URLs to Decodo and uses a Decodo auth token.
This skill is reasonable to install if you intend to use Decodo for web scraping. Before enabling it, set the Decodo token only in a trusted environment, understand that requested URLs and queries are sent to Decodo, avoid sensitive scrape targets, and treat returned webpage text as untrusted content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches, URLs, and requested scrape targets may be visible to Decodo and may consume the user's Decodo API quota or billing.
The tool sends user-provided queries or URLs to Decodo's scraping API. This is central to the skill's purpose, but it means scrape targets and search terms leave the local environment.
SCRAPE_URL = "https://scraper-api.decodo.com/v2/scrape" ... "universal": {"target": "universal", "url": args.url, "markdown": True}Use it for intended public web scraping tasks and avoid sending private, sensitive, or internal URLs or search terms unless that is acceptable for your Decodo account.
Anyone or any agent process with this token can make Decodo scraping API calls under the configured account.
The script requires a Decodo auth token and uses it to authenticate API requests. This is expected for the service integration and is disclosed, but it is still delegated account authority.
token = os.environ.get("DECODO_AUTH_TOKEN") ... "Authorization": f"Basic {token}"Store the token securely, use the least-privileged or lowest-risk Decodo credential available, and monitor account usage or quotas.
A future install may pull newer dependency versions than the author tested.
The Python dependencies are expected for the script, but they are specified with lower bounds rather than exact pinned versions.
requests>=2.28.0 python-dotenv>=1.0.0
Install in a virtual environment and consider pinning exact package versions or using a lockfile for repeatable deployments.
A scraped page could include text that tries to influence the agent if the agent treats page content as instructions rather than data.
The skill returns arbitrary web content into the agent's context. That content is untrusted retrieved context and may contain instructions or misleading text.
universal – fetch and parse any public webpage, returning clean Markdown
Treat scraped output as untrusted information, and do not let webpage text override the user's instructions or trigger actions without review.