Powerful web scraping, crawling, and data extraction with stealth anti-bot bypass (Cloudflare Turnstile, CAPTCHAs). Use when: (1) scraping websites that bloc...
Security Analysis
medium confidenceThe skill’s code and instructions generally match a heavy-duty web-scraper, but it requires root/system installs and downloads packages at runtime (not declared in registry), and there are operational gaps (CAPTCHA solver/proxy credentials, browser downloads) that the package doesn’t justify or declare — you should review before installing or run in an isolated VM/container.
Name/description (anti-bot scraping/Cloudflare bypass) aligns with included code: scrape.py and setup.sh implement fetchers, stealth mode, dynamic rendering, crawling, and proxy rotation. However, the SKILL.md declares a root-requiring install into /opt/scrapling-venv (apt-get + pip) which is not reflected in the registry-level 'No install spec' claim — mismatch that users should be aware of. The advanced anti-bot claims (CAPTCHA solving) may require external solver services, but no credentials are requested or documented.
Runtime instructions tell the user to run scripts/setup.sh (runs apt-get, pip install, and 'scrapling install') and then use the bundled CLI. The instructions do not direct the agent to read unrelated host files or exfiltrate data. They do, however, instruct downloads and installation of system libraries and browser binaries from the network — a broader scope than a simple 'instruction-only' skill would suggest.
The included setup.sh performs apt-get and pip install (scrapling[all]) and runs 'scrapling install' to fetch browsers. These are standard package sources (apt, PyPI) but will download and execute code/binaries at install time. The install requires root and writes to /opt. There are no explicit third‑party URLs in the script, but pip/‘scrapling install’ may pull many dependencies and browser binaries from external hosts — this increases risk and should be run in an isolated environment after verifying package provenance.
The skill declares no required environment variables or credentials, which is consistent with the files included. However, practical use of anti-CAPTCHA/anti-bot features often needs external solver APIs or paid proxy services (API keys, tokens) — none are declared or explained. That gap is operationally important and may lead users to supply credentials ad hoc.
The skill does not request 'always: true' and is user-invocable, which is normal. But setup.sh requires root (apt-get, venv creation in /opt) and installs system-level libraries and binaries. This elevated privilege and system-wide installation increases blast radius; the SKILL.md itself recommends using an isolated container/VM.
Guidance
This package appears to implement what it claims (a heavy scraping tool with anti-bot features), but it performs system-level installs (apt-get, pip) and places a virtualenv under /opt, which requires root. Before installing: (1) run the setup in an isolated VM or container; (2) inspect the pip package 'scrapling' (and its dependencies) and confirm sources (PyPI project, maintainer) — pip can install arbitrary code; (3) be aware 'scrapling install' will download browser binaries from the network; (4) consider legal/ToS implications of bypassing anti-bot protections and CAPTCHA solving; (5) expect you may need to supply third-party solver or proxy credentials (not declared by the skill); (6) if you cannot review the upstream package or do not want root installs, do not install this skill on a shared host.
Latest Release
v1.0.2
MyClaw.ai branding, added trust boundary + install metadata, fixed security scan warnings
More by @LeoYeAI
Published by @LeoYeAI on ClawHub
