intelligent-web-scraper

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill's stated purpose and most capabilities align with a legitimate intelligent web scraper. However, several design choices create elevated supply-chain and local-credential risks: the strong recommendation to reuse existing browser profiles (preserving all logged-in sessions), reliance on an external unpinned setup/install flow (setup.sh, Crawl4AI), and the practice of saving per-site scraping scripts and progress files to disk. Those behaviors are disproportionate to a minimal scraper and could be abused to access and persist authenticated content or sensitive data. I classify this as SUSPICIOUS: use requires caution. Before running, users should verify and inspect setup.sh and all external installers, avoid using existing browser profiles unless absolutely necessary and consented to (or run in an isolated profile), and apply filesystem protections or encryption for experience/progress directories. LLM verification: SUSPICIOUS — The skill's stated purpose (intelligent web scraping) aligns with most of its capabilities, but multiple aspects increase supply-chain and privacy risk: explicit instruction to reuse existing browser profiles (which exposes cookies/session tokens), reliance on a one-click setup.sh with unpinned dependencies, and use of remote debugging/CDP connections. Those features make it trivial for the skill (or a malicious modification of its scripts or setup) to harvest authenticated session