critical
suspicious.env_credential_access
- Location
- scripts/crawl4ai.js:12
- Finding
- Environment variable access combined with network send.
Crawl4AI Web Scraper
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If CRAWL4AI_URL points to an untrusted or remote service, that service could receive the API key and requested URLs.
Why it was flagged
The script reads an optional API key from the environment and sends it as a Bearer token to the configured Crawl4AI endpoint. This is purpose-aligned and disclosed, but the endpoint should be trusted.
Skill content
const CRAWL4AI_KEY = process.env.CRAWL4AI_KEY; ... headers['Authorization'] = `Bearer ${CRAWL4AI_KEY}`;Recommendation
Use a trusted local Crawl4AI instance when possible, and only set CRAWL4AI_KEY for endpoints you control or trust.
What this means
Installation or setup UI may not warn that the skill needs a configured Crawl4AI endpoint and may use an API key.
Why it was flagged
The registry metadata does not declare required environment variables, while SKILL.md and the script require CRAWL4AI_URL and document optional CRAWL4AI_KEY. This is a setup visibility gap rather than hidden behavior.
Skill content
Required env vars: none Env var declarations: none
Recommendation
Before use, set CRAWL4AI_URL deliberately and review whether CRAWL4AI_KEY is needed for your instance.