Back to skill

Security audit

Scrapfly SDK Go

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Scrapfly Go SDK guide; it has real privacy and scraping-policy considerations, but no hidden execution, persistence, or destructive behavior in the artifact.

Install only if you intend to use Scrapfly for authorized Go scraping. Do not use it on private, internal, authenticated, personal, regulated, or terms-restricted sites unless you have approval and understand that URLs, request metadata, rendered content, screenshots, and extracted data may be processed by Scrapfly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to send target URLs and retrieved page content through Scrapfly, a third-party scraping service, but does not warn that this may disclose sensitive URLs, query parameters, authentication-bearing targets, or scraped data to an external processor. In a security-sensitive environment, omission of this disclosure can lead to unintended data exfiltration or compliance violations when users scrape internal, private, or regulated content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently advertises anti-bot bypass features such as Cloudflare and DataDome evasion without any caution about legality, terms-of-service restrictions, or organizational policy constraints. That omission can normalize unauthorized scraping or circumvention activity and increase the chance that users deploy the capability against prohibited targets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.