Crawl4AI Web Scraper
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated web-scraping purpose, but users should configure only a trusted Crawl4AI endpoint because an optional API key is sent there.
This skill appears safe for its stated purpose if you run it against a Crawl4AI instance you trust. Make sure CRAWL4AI_URL points to your intended local or controlled service, and avoid setting CRAWL4AI_KEY for any endpoint you do not control.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If CRAWL4AI_URL points to an untrusted or remote service, that service could receive the API key and requested URLs.
The script reads an optional API key from the environment and sends it as a Bearer token to the configured Crawl4AI endpoint. This is purpose-aligned and disclosed, but the endpoint should be trusted.
const CRAWL4AI_KEY = process.env.CRAWL4AI_KEY; ... headers['Authorization'] = `Bearer ${CRAWL4AI_KEY}`;Use a trusted local Crawl4AI instance when possible, and only set CRAWL4AI_KEY for endpoints you control or trust.
Installation or setup UI may not warn that the skill needs a configured Crawl4AI endpoint and may use an API key.
The registry metadata does not declare required environment variables, while SKILL.md and the script require CRAWL4AI_URL and document optional CRAWL4AI_KEY. This is a setup visibility gap rather than hidden behavior.
Required env vars: none Env var declarations: none
Before use, set CRAWL4AI_URL deliberately and review whether CRAWL4AI_KEY is needed for your instance.