decodo-scraper
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implementation is transparent and performs its stated scraping tasks without any detected malicious behavior, obfuscation, or persistence mechanisms.
- [DATA_EXFILTRATION]: The skill requires an API token (DECODO_AUTH_TOKEN) for authentication. This token is transmitted only to the official vendor domain (scraper-api.decodo.com), which is considered safe and standard for the intended functionality.
- [PROMPT_INJECTION]: The skill acts as an ingestion point for untrusted web data, presenting a surface for indirect prompt injection. 1. Ingestion points: The skill fetches content from Google Search, Amazon, YouTube, and Reddit through the
tools/scrape.pyscript. 2. Boundary markers: None are present; the skill does not wrap its output in delimiters or provide instructions to the agent to disregard embedded commands. 3. Capability inventory: The skill's capabilities are limited to making network requests to the Decodo API and reading local environment variables; it does not have the ability to execute shell commands or modify the file system. 4. Sanitization: No sanitization or filtering of the retrieved content is performed before it is passed to the agent.
Audit Metadata