scrapling
Warn
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary workflow involves the agent reading Python templates (e.g.,
templates/basic_fetch.py,templates/stealth_cloudflare.py), populating them with user-provided parameters like URLs and CSS selectors, and executing the resulting scripts using theBashtool. - [EXTERNAL_DOWNLOADS]: The instructions require installing the
scraplingPython package and its browser-based fetchers using commands such aspip install "scrapling[fetchers]"andscrapling install. - [PROMPT_INJECTION]: The skill is inherently exposed to indirect prompt injection due to its function of scraping and processing external web content.
- Ingestion points: Untrusted HTML and text are retrieved from third-party websites via the generated scripts and printed to the agent's context (e.g., in
templates/basic_fetch.py). - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat scraped data as untrusted or to ignore instructions contained within it.
- Capability inventory: The agent has access to the
Bashtool and file-writing capabilities across the entire skill folder, which could be targeted by malicious instructions embedded in scraped pages. - Sanitization: Scraped content is presented to the agent without any prior sanitization, filtering, or validation.
- [DATA_EXFILTRATION]: The skill implements a persistence mechanism for session cookies, instructing the agent to save them to
references/cookie-vault.md. While intended for legitimate session maintenance across scraping tasks, this creates a local store of sensitive credentials that could be exposed or exfiltrated if the agent processes malicious scraped content.
Audit Metadata