Back to skill

Security audit

Scrapfly Crawler

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Scrapfly crawler skill with expected crawling risks but no hidden or automatic unsafe behavior.

Install this only if you plan to crawl sites through Scrapfly. Use tight page and path limits, keep follow_external_links off unless needed, enable robots.txt compliance where appropriate, avoid anti-bot or proxy features without authorization, protect your API key, and review saved crawl archives for sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enables broad website crawling, external link following, archive generation, and large-scale content collection, but it does not warn about legal restrictions, privacy exposure, robots.txt handling, or infrastructure impact. In this context, omission of operational safeguards is risky because users may crawl sensitive or disallowed content, over-collect data, or cause unintended load on third-party sites.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation says the API key may be passed directly to the client without warning against hardcoding, logging, or committing secrets. While common in SDK docs, this can lead users to embed credentials in code or transcripts, increasing the risk of accidental secret disclosure.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The examples save WARC/HAR artifacts and generated text files locally without warning that these outputs may overwrite files or contain sensitive scraped data, tokens, session material, or copyrighted/private content. In a crawling skill, persisted artifacts can be especially sensitive because they aggregate data from many pages.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.