scrape-scrapy-cloud

Pass

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses uvx and uv run to execute the shub CLI and a local Python wrapper script. These operations are within the expected scope of a Scrapy deployment tool.
  • [EXTERNAL_DOWNLOADS]: The skill fetches the shub package from PyPI using uvx and interacts with the official Docker Hub API to retrieve image tags. These are well-known, trusted sources for development workflows.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill explicitly instructs the agent not to display or expose API keys. It uses a dedicated wrapper script (scripts/scrapy_cloud_api.py) to manage the SHUB_APIKEY securely via environment variables or the standard ~/.scrapinghub.yml configuration file, preventing keys from appearing in the conversation history or logs.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes project configuration files (scrapinghub.yml) and dependency files (requirements.txt). While these are external inputs, the skill treats them as structured data or build manifests rather than instructional prompts, minimizing injection risk.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 3, 2026, 10:17 AM
Security Audit — agent-trust-hub — scrape-scrapy-cloud