scrapling

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] The package, as documented, is a legitimate-looking web scraping CLI/library with powerful capabilities for HTTP and browser-driven extraction. I found no explicit evidence of embedded malware or obfuscated backdoors in the provided text. However, the presence of potentially dangerous options (disabling SSL verification), strong anti-bot evasion features, and an installer that likely downloads browsers/fingerprinting helpers without documented provenance create moderate supply-chain and misuse risks. Actionable recommendations: inspect the implementation of `scrapling install` and any downloaded artifacts, require integrity verification for installers, avoid using --no-verify, and warn users about secret exposure when passing cookies/headers on the CLI. Treat the package as moderate risk until the installer and runtime code are audited. LLM verification: This SKILL.md describes a legitimate-looking CLI web-scraping tool whose documented capabilities align with its purpose. However it exposes high-risk features (anti-bot circumvention, CAPTCHA solving, proxying, forwarding of raw cookies/headers) and requires installation of fetcher/browser dependencies whose provenance isn't specified. Those factors make the skill potentially dangerous or easily abused, and they present supply-chain risk during the 'scrapling install' step. I assess low probabil