Scrapingbot
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real ScrapingBot/Membrane integration, but it gives the agent broad credentialed API control without clear limits or confirmation guidance.
Review this skill before use. It is probably intended for legitimate ScrapingBot management, but only connect accounts you are comfortable delegating to Membrane, and require explicit confirmation before any raw API call or action that creates, changes, deletes, or may bill for scraping jobs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make credentialed changes to the ScrapingBot account or jobs if it chooses a write/delete API path.
The skill permits broad raw API requests, including mutating and deleting methods, through an authenticated proxy without explicit user-confirmation or endpoint-scope guidance.
When the available actions don't cover your use case, you can send requests directly to the ScrapingBot API through Membrane's proxy... Common options: ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer discovered Membrane actions over raw proxy calls, require explicit user approval before POST/PUT/PATCH/DELETE requests, and review the exact endpoint and request body before execution.
Installing and using the skill may give the agent access to a connected ScrapingBot account through Membrane.
The skill relies on delegated Membrane/ScrapingBot authentication and automatic credential refresh, even though the registry requirements list no primary credential.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant --clientName=<agentType>
Use the least-privileged account available, confirm which ScrapingBot connection is used, and revoke or disconnect access when no longer needed.
The CLI code that runs may change over time and is outside the instruction-only skill artifact.
The skill asks users to install a global CLI using a floating latest version, so the reviewed artifact does not pin the executable code that will run.
npm install -g @membranehq/cli@latest
Install the CLI only from the official npm package, consider pinning a specific version, and review updates before use.
ScrapingBot requests and responses may pass through Membrane infrastructure as part of the integration.
Requests to ScrapingBot are mediated through Membrane, which acts as an authenticated gateway and injects credentials.
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers — including transparent credential refresh if they expire.
Make sure you trust Membrane for this account integration and avoid sending unnecessary sensitive data through proxy requests.