ScraperAPI MCP
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent ScraperAPI reference skill, but users should notice that it uses an external scraping service, API credentials, and optional crawl jobs.
Before installing, make sure you are comfortable routing web queries and scraped URLs through ScraperAPI, storing a ScraperAPI API key for MCP use, and verifying the npx/PyPI setup packages. For crawler use, set narrow URL patterns and crawl budgets, and approve callback URLs or recurring schedules only when you understand where data will go and how long jobs will run.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using these tools may send requests through ScraperAPI, consume paid credits, and scrape sites that have access restrictions or usage policies.
The skill documents scraping features that can bypass anti-bot controls; this is central to ScraperAPI's purpose, but users should apply it only to appropriate targets.
Scrapes a URL and returns its content. Handles proxy rotation, CAPTCHAs, and anti-bot measures automatically.
Use the scraping and premium-bypass options only when appropriate, start with the cheapest/default settings, and confirm crawl scope and budgets before broad scraping.
Anyone or any configured tool with this key may be able to use the user's ScraperAPI account credits.
The remote MCP setup passes the user's ScraperAPI API key to the hosted ScraperAPI MCP server, which is expected for the service but grants account/API usage authority.
"Authorization: Bearer ${SCRAPERAPI_API_KEY}"Store the key securely, avoid exposing it in logs or shared configs, and rotate it if it may have been disclosed.
Installing or running unverified external packages could expose the local environment or API key if the package source is not trusted.
The setup relies on external npm/PyPI-installed components and a hosted MCP endpoint rather than code bundled in the skill; this is disclosed and purpose-aligned, but users should verify package provenance.
"command": "npx", "args": ["mcp-remote", "https://mcp.scraperapi.com/mcp" ...] ... `pip install scraperapi-mcp-server`
Confirm the package names and publisher from official ScraperAPI documentation, prefer pinned versions where possible, and install only from trusted package registries.
Crawled pages may include sensitive, proprietary, or personal data and could be exposed to the callback endpoint if configured incorrectly.
Crawler results can be forwarded to a webhook endpoint, which is an external data flow; the documentation appropriately warns about endpoint control, HTTPS, volume, and user approval.
When `callbackUrl` is set, ScraperAPI sends all crawled page results to that URL as POST requests... Never set `callbackUrl` without explicit user approval.
Only use callback URLs you control, require HTTPS, and approve callbacks explicitly after checking what data will be sent.
A scheduled crawl may continue consuming credits and collecting data until disabled or deleted.
The crawler can create recurring jobs that continue after the initial setup; this is disclosed and tied to the crawler feature, but it is persistent external activity.
If a `schedule` is provided, the crawler runs repeatedly on the configured interval... Available intervals: `"once"`, `"hourly"`, `"daily"`, `"weekly"`, `"monthly"`.
Use schedules only when needed, set crawl budgets and narrow URL patterns, and monitor or delete recurring jobs from the ScraperAPI dashboard.