SpielerPlus Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SpielerPlus scraper that uses user-provided credentials to read team data, but users must protect credentials and sensitive outputs.

Install only if you are authorized to access the SpielerPlus teams involved. Use a dedicated or least-privilege account where possible, keep SPIELERPLUS_EMAIL and SPIELERPLUS_PASSWORD out of commits, screenshots, CI logs, and shell history, and treat exported or console-printed member, absence, participation, role, and finance data as sensitive. Prefer updating/locking Playwright to a patched release before running browser installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (8)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explicitly promotes scraping highly sensitive team data such as absences, finances, contact details, roles, and participation statistics, but only includes a general Terms-of-Service disclaimer. It does not warn about privacy obligations, consent, lawful basis for access, or safe handling of exported personal data, which increases the risk that users will collect and expose personal or financial information without appropriate safeguards.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to place login credentials in a .env file or environment variables but does not warn that these secrets must be protected. This can lead to accidental credential leakage through source control, shell history, shared environments, logs, or misconfigured deployment systems, especially for a scraper that accesses sensitive member and financial data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill requires account credentials via environment variables and is designed to retrieve potentially sensitive team-management data such as members, absences, finances, roles, and participation statistics, yet the description does not warn users about this data access and transmission. This omission can mislead users about the sensitivity of the operation, reducing informed consent and increasing the risk of accidental exposure of credentials or private team data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example shows real credential variables being passed into a container without any warning about secure handling, which can normalize unsafe practices such as exposing secrets via shell history, process inspection, CI logs, or copied command snippets. In a scraper for a team-management platform, those credentials likely grant access to personal and organizational data, so careless handling could lead to account compromise or data disclosure.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill performs automated authenticated access to a third-party service and extracts potentially sensitive team data such as members, absences, finances, and participation details. In an agent/skill context, doing so without explicit user-facing consent, scope disclosure, or data-handling boundaries increases the risk of overcollection and unauthorized access to private organizational information.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "url": "https://gitlab.com/draiwing/spielerplus-scraper" }, "dependencies": { "playwright": "^1.40.0", "dotenv": "^16.0.0" }, "devDependencies": {
Confidence: 94% confidence
Finding: "playwright": "^1.40.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: }, "dependencies": { "playwright": "^1.40.0", "dotenv": "^16.0.0" }, "devDependencies": { "standard-version": "^9.5.0"
Confidence: 90% confidence
Finding: "dotenv": "^16.0.0"

Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High

Category: Supply Chain
Confidence: 97% confidence
Finding: playwright==1.40.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal