Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill clearly directs users to send arbitrary target URLs and page content to Scrapfly's third-party screenshot service, and the notes explicitly state screenshots are stored remotely and retrievable via a response header. Failing to warn users about third-party transmission and remote retention can cause unintended disclosure of sensitive internal URLs, page contents, or authenticated views if the skill is used on private resources.
