Back to skill
Skillv1.0.0
ClawScan security
Scrapling AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 9:09 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a CLI-based web-scraping tool; nothing in the package suggests it is trying to do unrelated or hidden actions.
- Guidance
- This skill appears to be a documentation/integration wrapper for the third-party 'scrapling' CLI and is internally consistent. Before installing or running: (1) verify the 'scrapling' package comes from a trusted source (check the PyPI project, maintainer, and release notes); (2) run installs in an isolated environment (virtualenv/container) if you have security concerns; (3) be aware that features which 'bypass Cloudflare/captcha' can be used to evade protections — ensure you have legal permission to scrape target sites and respect robots.txt and rate limits; (4) if you start the MCP server, ensure it is bound only to localhost or otherwise secured to avoid exposing a local scraping control endpoint to untrusted networks; (5) consider auditing the installed package code if you plan to use it in sensitive environments.
Review Dimensions
- Purpose & Capability
- okName/description (web scraping with Cloudflare/captcha bypass and MCP support) align with the declared runtime requirement (the 'scrapling' CLI) and the example commands. Requiring the scrapling binary is consistent with a CLI wrapper skill.
- Instruction Scope
- noteSKILL.md contains only commands that call the scrapling CLI and instructions to start an MCP server. It does not instruct reading unrelated files or environment variables. Minor note: MCP server guidance implies opening a local server endpoint for agent integration — consider exposure if you run it on a network-accessible host.
- Install Mechanism
- noteNo install spec is embedded beyond recommended 'pipx'/'pip' usage in SKILL.md; installation is expected to pull the 'scrapling' package from Python packaging (PyPI). This is standard but carries the usual moderate risk of installing third-party packages — verify the package source and review package metadata before install.
- Credentials
- okThe skill declares no environment variables, secrets, or unrelated config paths. That matches its purpose as a thin wrapper around an external CLI.
- Persistence & Privilege
- okFlags show no always:true and agent invocation is default (allowed). The skill does not request persistent or cross-skill configuration or elevated platform privileges.