scrapling

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Because the package is delivered from an unknown GitHub user and the skill explicitly instructs running an install script that downloads Chromium and other binaries (plus references to several untrusted/placeholder domains), these URLs represent a plausible vector for distributing malicious scripts/binaries and should be treated with caution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md, CLI docs, and scripts/scrapling_fetch.py explicitly fetch arbitrary public URLs (e.g., Fetcher.get(url), DynamicFetcher.fetch, StealthyFetcher.fetch) and return/parse page.text or extracted elements, and the Spider examples parse page content and generate follow-up Requests—so untrusted third‑party web content is ingested and can directly influence subsequent actions.