scraperapi-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the ScraperAPI MCP server via pip or npx, which are standard package management operations for the vendor's tools.
- [COMMAND_EXECUTION]: Setup instructions involve running the MCP server through shell commands, which is necessary for its integration and follows the vendor's official documentation.
- [DATA_EXFILTRATION]: A callback URL feature for the crawler tool is documented with an explicit requirement for the agent to seek user confirmation before use, mitigating potential data exposure risks.
- [PROMPT_INJECTION]: The skill processes external web data, representing a surface for indirect prompt injection. Ingestion points include the
scrapeand search tools (SKILL.md), with no specific boundary markers or sanitization defined for the scraped content. Capabilities include subprocess execution as part of the MCP setup (references/setup.md).
Audit Metadata