scrape-scrapy-cloud
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
uvxanduv runto execute theshubCLI and a local Python wrapper script. These operations are within the expected scope of a Scrapy deployment tool. - [EXTERNAL_DOWNLOADS]: The skill fetches the
shubpackage from PyPI usinguvxand interacts with the official Docker Hub API to retrieve image tags. These are well-known, trusted sources for development workflows. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill explicitly instructs the agent not to display or expose API keys. It uses a dedicated wrapper script (
scripts/scrapy_cloud_api.py) to manage theSHUB_APIKEYsecurely via environment variables or the standard~/.scrapinghub.ymlconfiguration file, preventing keys from appearing in the conversation history or logs. - [INDIRECT_PROMPT_INJECTION]: The skill processes project configuration files (
scrapinghub.yml) and dependency files (requirements.txt). While these are external inputs, the skill treats them as structured data or build manifests rather than instructional prompts, minimizing injection risk.
Audit Metadata