Back to skill

Security audit

Scrapfly SDK TypeScript

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Scrapfly-focused skill whose external web-fetching behavior is expected, but users should remember that scraped pages are handled by Scrapfly.

Install only if you are comfortable sending requested target pages and related extraction data to Scrapfly. Avoid using it on internal, authenticated, confidential, or regulated pages unless you have approval and understand Scrapfly's data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages use of an external scraping platform but does not clearly warn users that target URLs, fetched page contents, and screenshots may be transmitted to a third-party service. This can lead to unintended data disclosure, especially if users apply the skill to internal, authenticated, sensitive, or regulated pages under the assumption that processing is local.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.