Crawl4AI Web Scraper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: crawl-for-ai Version: 1.0.1 This skill bundle is designed to interact with a user-configured local Crawl4AI instance for web scraping. The `scripts/crawl4ai.js` file makes HTTP POST requests to the `CRAWL4AI_URL` (an environment variable) and includes an optional `CRAWL4AI_KEY` for authentication. All network activity is directed to the explicitly configured endpoint, which is essential for its stated purpose. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` designed to manipulate the AI agent into harmful actions. The code is transparent and aligns with the description of a tool for a self-hosted service.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If CRAWL4AI_URL points to an untrusted or remote service, that service could receive the API key and requested URLs.
The script reads an optional API key from the environment and sends it as a Bearer token to the configured Crawl4AI endpoint. This is purpose-aligned and disclosed, but the endpoint should be trusted.
const CRAWL4AI_KEY = process.env.CRAWL4AI_KEY; ... headers['Authorization'] = `Bearer ${CRAWL4AI_KEY}`;Use a trusted local Crawl4AI instance when possible, and only set CRAWL4AI_KEY for endpoints you control or trust.
Installation or setup UI may not warn that the skill needs a configured Crawl4AI endpoint and may use an API key.
The registry metadata does not declare required environment variables, while SKILL.md and the script require CRAWL4AI_URL and document optional CRAWL4AI_KEY. This is a setup visibility gap rather than hidden behavior.
Required env vars: none Env var declarations: none
Before use, set CRAWL4AI_URL deliberately and review whether CRAWL4AI_KEY is needed for your instance.