scrapling

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed credentials verbatim (e.g., "http://user:pass@proxy3:8080" and login_page.fill(...'password','pass')), which encourages placing secrets directly into commands/code and thus risks secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md) and runtime scripts (scripts/scrapling_scrape.py and scripts/scrapling_smoke_test.py) explicitly accept arbitrary URLs and call fetchers (fetch_page/fetch_dynamic/fetch_stealthy) and spiders that retrieve and parse public web pages and follow extracted links, meaning untrusted third-party content is ingested and can directly drive subsequent tool actions.