just-scrape

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill/CLI manifest is internally consistent with its declared purpose (AI-driven web scraping and browser automation) and the capabilities requested are plausible for that purpose. The primary security concerns are operational: (1) encouraging users to place credentials in CLI steps/flags (risk of shell/process-listing and history leakage), (2) persistence of API keys and session data to ~/.scrapegraphai/config.json without stated encryption, and (3) unclear data retention/forwarding policies for scraped content, headers, cookies, and credentials (they likely flow to the service backend). There is no evidence of obfuscated code or explicit malware in the provided document. Recommend treating this package as usable but with caution: avoid passing secrets on the command line, inspect how the tool stores config/history, and verify the privacy policy or source code to confirm whether scraped data and credentials are retained or transmitted to third parties. LLM verification: No direct signs of code-level malware or obfuscation in the provided SKILL.md. The primary security concern is data/credential exposure: the skill is designed to capture website content and supports browser automation (login/fill) and explicit cookie/header forwarding, and it uploads data to the ScrapeGraph AI service (third-party). Persisting the API key to ~/.scrapegraphai/config.json and forwarding cookies/credentials are normal for this class of tool but increase risk if users feed sensitive