ai-web-scraping-scrapegraph

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXPOSURE]: The skill accesses the local file ~/.gooseworks/credentials.json to retrieve the api_key and api_base. This is a standard practice for managing credentials in this ecosystem and is documented clearly in the setup instructions.
  • [COMMAND_EXECUTION]: The skill utilizes standard system commands such as python3 (to parse JSON credentials) and curl (to interact with the ScrapeGraph API endpoints). These are used for their intended purpose of configuration and API communication.
  • [EXTERNAL_DOWNLOADS]: The skill references npx gooseworks login for authentication and npx goose-skills for installation. These utilize the standard Node.js package executor to manage the skill's environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill inherently processes external web content through natural language prompts (e.g., user_prompt in SmartScraper). While this creates an attack surface for indirect prompt injection from scraped web pages, it is the primary function of the tool and relies on the underlying LLM's safety guardrails.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — ai-web-scraping-scrapegraph