ai-web-scraping-scrapegraph
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXPOSURE]: The skill accesses the local file
~/.gooseworks/credentials.jsonto retrieve theapi_keyandapi_base. This is a standard practice for managing credentials in this ecosystem and is documented clearly in the setup instructions. - [COMMAND_EXECUTION]: The skill utilizes standard system commands such as
python3(to parse JSON credentials) andcurl(to interact with the ScrapeGraph API endpoints). These are used for their intended purpose of configuration and API communication. - [EXTERNAL_DOWNLOADS]: The skill references
npx gooseworks loginfor authentication andnpx goose-skillsfor installation. These utilize the standard Node.js package executor to manage the skill's environment. - [INDIRECT_PROMPT_INJECTION]: The skill inherently processes external web content through natural language prompts (e.g.,
user_promptinSmartScraper). While this creates an attack surface for indirect prompt injection from scraped web pages, it is the primary function of the tool and relies on the underlying LLM's safety guardrails.
Audit Metadata