Pinterest Scraper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its Pinterest scraping purpose, but it needs review because it disables normal HTTPS checks for image downloads and can upload all JPGs from the chosen output folder to Telegram.
Review before installing. Use a dedicated empty output folder, verify the Telegram chat and bot token before sending, install dependencies in an isolated environment, and consider changing the script to keep HTTPS certificate verification enabled by default.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured connection could tamper with downloaded image files, and the tool may browse any URL the agent passes to it.
The scraper navigates to the supplied URL and downloads images with TLS certificate verification disabled. Browser access and downloads are purpose-aligned, but disabling HTTPS verification is an unsafe default that is not necessary for the core scraping purpose.
page.goto(self.url, timeout=30000) ... r = requests.get(img_url, timeout=15, verify=False)
Validate that URLs are Pinterest domains and use TLS verification by default; make any insecure SSL workaround an explicit, clearly warned opt-in.
Installing the skill pulls code and browser components from external package sources.
The setup requires unpinned Python packages and a Chromium browser install. This is expected for a Playwright-based scraper, but it is still an external supply-chain dependency.
pip install playwright requests playwright install chromium
Install in an isolated environment, use trusted package indexes, and consider pinning dependency versions before use.
Anyone with the Telegram bot token may be able to act as that bot within its permissions.
The optional Telegram feature uses a bot token and chat ID to send media. This is disclosed and purpose-aligned, with no evidence of hardcoded or unrelated credential use.
requests.post(f"https://api.telegram.org/bot{self.token}/sendMediaGroup", data={"chat_id": self.chat_id, "media": json.dumps(media)}, files=file_data, timeout=60)Use a dedicated low-privilege Telegram bot, send only to the intended chat, and rotate the token if it is exposed.
If the output folder contains unrelated private JPGs, those files could be sent to the configured Telegram chat.
When Telegram mode is enabled, the script sends JPG files from the selected output folder to Telegram. The destination is disclosed, but the file selection is folder-wide rather than per-file.
all_files = sorted([f for f in os.listdir(self.output_folder) if f.endswith('.jpg')]) ... files=file_dataUse a fresh dedicated output folder for each scrape and review its contents before enabling Telegram sending.
Local state and logs may reveal what Pinterest URL was scraped and which files were downloaded or sent.
The resume feature stores scrape state, downloaded URLs, and Telegram-sent filenames in a local state file under the output folder.
self.state_file = os.path.join(output_folder, '.scrape_state.json') ... 'downloaded_urls': list(self.downloaded_urls), 'telegram_sent': list(self.telegram_sent)
Delete the output folder, .scrape_state.json, and scrape.log when you no longer need resume or audit history.