scrapling-skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Scrapling web-scraping helper with dual-use anti-bot guidance, but it includes authorization limits and does not request credentials or hidden access.

Install only if you intend to use an agent for lawful, authorized web scraping. Use it on sites you own or are allowed to scrape, avoid login-required, paywalled, private, or personal-data targets, keep request rates reasonable, and consider pinning or reviewing the Scrapling dependency before running the setup commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger text is broad enough to activate on many ordinary scraping-related requests, including ones that mention bypassing anti-bot protections or Cloudflare handling. Because this skill contains operational guidance for anti-bot-resistant scraping, unintended invocation could steer the agent toward providing assistance in legally or ethically sensitive scraping scenarios without sufficient contextual gating.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal