ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scrapling - Stealth Web Scraper

v1.0.3

Web scraping using Scrapling — a Python framework with anti-bot bypass (Cloudflare Turnstile, fingerprint spoofing), adaptive element tracking, stealth headl...

0· 1.1k·9 current·9 all-time
byDamir Armanov@damirikys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (stealth web scraping, Cloudflare bypass, JS rendering) align with the included script and SKILL.md. The skill's instructions to install scrapling, a stealth Playwright fork (patchright), and Chromium are proportionate to the described functionality.
Instruction Scope
Instructions are explicit about installing packages, downloading Chromium, and optionally starting an MCP local HTTP server. The skill also documents 'auto_save' which persists element fingerprints to disk. These behaviors are relevant to the stated purpose but do increase local persistence and expose a local network endpoint if MCP is started — the SKILL.md warns to only start MCP when explicitly needed.
Install Mechanism
There is no registry install spec, but SKILL.md directs the user to run 'pip install scrapling[all]' and 'patchright install chromium'. Installing from PyPI and running a package-provided installer that downloads a browser binary is expected for this capability, but users should be aware that PyPI packages execute arbitrary install-time code and the Chromium installer fetches ~100MB of binaries from the package's installer.
Credentials
The skill declares no required env vars, credentials, or config paths. The behaviour (session/cookie handling, optional local MCP server, disk persistence for fingerprints) is consistent with no additional secret access being requested.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges. However, optional features (MCP local HTTP server and auto_save fingerprints) create persistent local state and expose a local endpoint if used; the SKILL.md explicitly warns to start these only when trusted.
Assessment
This skill appears internally consistent for a stealth web scraper, but it carries the normal risks of such tools. Before installing: 1) Confirm you trust the scrapling and patchright PyPI packages / their maintainers (review their GitHub/PyPI pages and recent activity). 2) Only run stealth/dynamic modes on sites you are authorized to scrape — bypassing anti-bot protections can violate terms or laws. 3) Be cautious with the 'patchright install chromium' step (downloads binaries) and with enabling the MCP server (it opens a local HTTP service). 4) Run installs in an isolated environment (virtualenv or container) and inspect the installed package contents if you need higher assurance. If you want, provide the upstream GitHub/PyPI links and I can check them for suspicious patterns or supply commands to verify package integrity before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bkftbhp32nc3ts22s10bsx81v9j3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments