Back to skill

Security audit

Scrapfly Extraction

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Scrapfly API usage guide, with expected third-party data-sharing and API-key handling risks users should understand.

Install only if you are comfortable sending the HTML, markdown, text, or scraped page content you process to Scrapfly. Do not use it with secrets, credentials, regulated data, customer data, or private internal pages unless Scrapfly is approved for that data, and keep the API key in an environment variable or secrets manager rather than source code or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs users to send arbitrary document or page content to Scrapfly's remote extraction API, but it does not warn that this may transmit sensitive, proprietary, or regulated data off-system to a third party. In a data-extraction skill, that omission increases the risk of accidental disclosure because users may treat the tool as local processing when it is actually SaaS-backed.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill tells users to provide an API key via environment variable or directly to the client, but it does not include any guidance on secure credential handling. While using environment variables is standard practice, omitting warnings against hardcoding, logging, or exposing the key can lead to accidental credential leakage in scripts, notebooks, or shared examples.

External Transmission

Medium
Category
Data Exfiltration
Content
## API Reference

**Endpoint:** `POST https://api.scrapfly.io/extraction`

### ScrapflyClient
Confidence
86% confidence
Finding
https://api.scrapfly.io/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.