Scrapling Safe
v1.0.0Scrapling 安全技能 - 网页数据抓取工具 支持 HTTP 请求、隐身抓取、浏览器自动化 智能元素定位,抗反爬虫检测 无需 API 配置,路径输出受限
⭐ 0· 181·1 current·1 all-time
by中国山东肥城林水科技@linshuikeji
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, requirements.txt, and scrapling.py all describe a web-scraping tool. Requested artifacts (a Python package 'scrapling' and browser dependencies) match the stated functionality (HTTP/stealthy/dynamic fetch modes). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and the code limit scope to public sites, enforce robots.txt and output-path restrictions (user home), and include rate/timeout controls. The runtime instructions and code do not read unrelated files or environment variables. Note: 'stealthy' and 'solve_cloudflare' modes intentionally attempt to evade anti-bot protections — this is coherent with scraping but increases potential for misuse.
Install Mechanism
There is no platform install spec (instruction-only), which is low platform risk. However, SKILL.md and requirements.txt instruct installing a third-party Python package ('scrapling') and browser dependencies via 'scrapling install'. Installing these external packages/drivers is a typical but non-trivial supply-chain risk; verify the package source and installer behavior before running.
Credentials
The skill requests no environment variables, secrets, or unrelated config paths. The code does not access credentials or global config; output path validation is limited to the user's home directory.
Persistence & Privilege
Skill is not always-enabled, is user-invocable, and does not modify other skills or system-wide agent settings. It does not request persistent privileges beyond normal execution.
Assessment
This skill appears to do what it says (scraping public sites) and doesn't ask for unrelated secrets. Before installing/using it you should: 1) verify the 'scrapling' package on PyPI or its source repository (ensure it's the legitimate project and inspect its install scripts); 2) be cautious when installing browser drivers or helper tools (they may download binaries); 3) run initially in a sandbox or isolated environment; 4) ensure you have legal authorization to scrape a target site and respect robots.txt and terms of service; and 5) if you rely on the output-path restriction, test that the tool cannot be tricked into writing outside your home directory (e.g., via symlinks or path traversal). If you need higher assurance, request the upstream source repository and provenance for the 'scrapling' package and any installer scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk973c7f0yj7edtze2wba8m9vxs836agq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.