Is donatasdecodo/decodo-scraper safe?

https://github.com/openclaw/skills/tree/main/skills/donatasdecodo/decodo-scraper

90
SAFE

This skill provides legitimate web scraping functionality through the Decodo commercial API service. The code is straightforward and contains no malicious behavior, but users should be aware that queries and URLs are transmitted to an external service.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM User data transmitted to external API -25

The skill sends user search queries, URLs, and API authentication tokens to scraper-api.decodo.com. While this is the documented functionality, it could expose sensitive information if users provide sensitive search terms or URLs that should remain private.

LOW External service dependency and privacy considerations -15

The skill depends entirely on a commercial third-party API service. Users should be aware that their scraping requests and potentially the scraped data may be logged or retained by Decodo's service according to their privacy policy.

LOW Potential for indirect content injection -5

While the skill itself contains no prompt injection, it can retrieve arbitrary web content that could potentially contain malicious prompts if fed back to the agent. However, this is inherent to any web scraping functionality.