Is donatasdecodo/decodo-scraper-skill safe?

https://github.com/openclaw/skills/tree/main/skills/donatasdecodo/decodo-scraper-skill

87
SAFE

The decodo-scraper-skill is a legitimate web scraping integration for the Decodo commercial API service. The codebase is clean — no prompt injection, no malicious code, no credential harvesting, and installation was confined to expected GitHub network access with all canary files remaining intact. The primary security consideration is structural: the skill routes all agent web activity (every URL fetched, every search query, every scraped response) through Decodo's third-party infrastructure, creating a persistent data channel to a commercial provider and a supply-chain trust dependency on Decodo's API integrity.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 74/100 · 25%
Code Execution 84/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM All agent web activity routed through Decodo third-party infrastructure -15

Every URL, query, and scraped response is transmitted to scraper-api.decodo.com with a user-supplied Basic auth token. Decodo's infrastructure logs the full history of the agent's web research. This is by design but represents a privacy and supply-chain trust dependency.

MEDIUM Trusted third-party position enables content manipulation and surveillance -15

A compromised or malicious Decodo API could return adversarially crafted content, observe all agent research patterns, or selectively poison search results. This is a supply-chain risk inherent to routing agent I/O through a commercial proxy.

LOW No URL validation allows SSRF-class URL forwarding to third party -8

The --url parameter is passed verbatim to Decodo's API. Internal-network or cloud-metadata URLs passed by a confused or injected agent would be logged by Decodo. Decodo's proxies are unlikely to reach the user's internal network, limiting actual impact.

LOW Executable Python script with outbound HTTP requests -16

tools/scrape.py is a fully functional script with outbound network capability. No malicious code patterns, dynamic execution, or subprocess calls detected. Standard library usage only.

LOW Scraped content enters agent context unfiltered, enabling prompt injection relay -7

Raw page content returned by the universal scraper is injected directly into the agent's context. Adversarially crafted web pages could contain LLM instructions that hijack agent behavior in combination with other installed skills.

INFO Clean installation — only expected GitHub connection observed -7

Git clone connected exclusively to 140.82.121.4:443 (GitHub). Pre-existing Ubuntu/Canonical connections are OS-level, not skill-induced. No new persistent listeners or established connections after install.

INFO Honeypot file accesses attributable to audit framework, not skill 0

Canary file accesses occurred 5 seconds before git clone, consistent with Oathe's pre-install baseline sweep. No skill code accessed or modified canary files at any point.