scrapfly-screenshot
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill integrates with the official Scrapfly SDK (
scrapfly-sdk) and utilizes the vendor's legitimate API domain (api.scrapfly.io). All external resources are owned by the skill author. - [SAFE]: Credential management follows industry standards by instructing the agent or user to provide the
SCRAPFLY_API_KEYvia environment variables rather than hardcoding it. - [SAFE]: The skill provides a mechanism to execute JavaScript on the target webpage before capture. This functionality is a core feature of the Scrapfly service and is executed within the vendor's isolated rendering environment, posing no risk to the local system.
- [SAFE]: The skill ingests external URLs provided by the user to perform its primary function. While this is a surface for indirect prompt injection if the resulting screenshot is analyzed by the agent, it is the intended purpose of the tool and is documented transparently.
- [SAFE]: Support for a
webhookparameter allows the API to send results to an external endpoint, which is a standard feature for asynchronous API operations.
Audit Metadata