just-scrape
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
just-scrapepackage from the npm registry using standard package managers (npm, pnpm, yarn, bun). - [COMMAND_EXECUTION]: Documentation includes several shell commands for the
just-scrapeCLI to perform web scraping, searching, and crawling tasks. These commands are typical for the tool's stated purpose. - [CREDENTIALS_UNSAFE]: The skill describes how the CLI handles authentication via the
SGAI_API_KEYenvironment variable and a local configuration file at~/.scrapegraphai/config.json. No hardcoded API keys or secrets are present in the code. - [PROMPT_INJECTION]: The tool performs AI-driven extraction on data fetched from arbitrary external URLs. This represents a surface for indirect prompt injection, as the agent processes untrusted content from scraped webpages.
- Ingestion points: URLs provided to
scrape,extract,search, andcrawlcommands. - Boundary markers: None specified in the CLI commands.
- Capability inventory: Shell execution of the
just-scrapeCLI for data retrieval. - Sanitization: Data is processed by the ScrapeGraph AI service; no local sanitization is described in the manual.
Audit Metadata