Is ai-mrscraper/mrscraper safe?

https://github.com/openclaw/skills/tree/main/skills/ai-mrscraper/mrscraper

90
SAFE

MrScraper is a clean API-integration skill containing only documentation and no executable code, prompt injection payloads, or malicious instructions. Installation was well-behaved, with network activity limited to the expected GitHub clone. The primary concerns are architectural: the unblocker API authenticates via URL query parameters (token exposure risk), and the skill's core capabilities — stealth browsing, IP rotation, and bulk URL scraping — are dual-use tools that could be weaponized if an agent is given malicious instructions while this skill is loaded.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM API Token Exposed as URL Query Parameter -15

The unblocker endpoint authenticates via a 'token' query parameter appended to the GET URL. Query parameters are routinely captured in web server access logs, reverse proxy logs, browser history, and HTTP Referer headers sent to scraped sites. Any MRSCRAPER_API_TOKEN passed this way may be inadvertently disclosed to third parties or persisted in logs accessible to attackers.

LOW Stealth Browser and IP Rotation Enable Anonymized Scraping -18

The skill markets bypassing captcha and anti-bot protections as a core feature. These capabilities can be used to scrape sites that have explicitly prohibited automated access, evade rate limits protecting sensitive endpoints, and mask the origin of scraping activity. When an LLM agent has this skill, a sophisticated user or prompt-injected instruction could direct it to scrape protected resources anonymously.

LOW Arbitrary URL Scraping Enables Internal Service Reconnaissance -7

All seven endpoints accept arbitrary target URLs that are forwarded to MrScraper's infrastructure for fetching. If the agent is running in an environment with internal HTTP services (metadata endpoints, admin panels, localhost services), a crafted user request or prompt injection could direct the agent to scrape those endpoints and return the content.

LOW Bulk Rerun Endpoint Enables High-Volume Scraping Campaigns -10

The /api/v1/scrapers-ai-rerun/bulk endpoint accepts an array of URLs and runs a single scraper configuration across all of them in parallel. This enables large-scale scraping campaigns that could constitute abuse of third-party services or generate DoS-adjacent load.

INFO Token Suppression Instruction Could Limit Agent Transparency -8

The instruction 'Never expose tokens in logs, commits, or output' is standard security hygiene, but when injected into an agent's system prompt it also instructs the agent to withhold information from users. This is benign in intent but represents a class of output-suppression instructions.

INFO Clean Installation — Expected Network Behavior Only 0

Installation connected only to github.com for the git sparse-checkout clone. Ubuntu system update and Snap store connections were observed but originate from the OS, not the skill. No unexpected DNS queries, no connections to mrscraper.com during install (correct — skill is API-only at runtime).

INFO Canary Files Read by Audit Harness, Not Skill 0

Two batches of canary file reads were observed (timestamps 1771919035 and 1771919053). Both are attributable to the oathe audit framework itself performing baseline and post-install integrity checks. All reads are CLOSE_NOWRITE (read-only). No network exfiltration of canary content detected.