ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Scraper - Firecrawl

v1.0.0

Web scraping and content extraction using Firecrawl API. Use when users need to crawl websites, extract structured data, convert web pages to markdown, scrap...

0· 87·0 current·1 all-time
byantonia huang@antonia-sz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md and the included script all describe a Firecrawl API client (scrape, crawl, map, batch, extract) which is coherent with the declared purpose. However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and the script require a FIRECRAWL_API_KEY to operate.
!
Instruction Scope
SKILL.md instructs users to set FIRECRAWL_API_KEY and to install the Python 'requests' dependency, but the included script reads FIRECRAWL_API_KEY from the environment and uses urllib (not requests). The instructions expect an external API key and allow reading schema and URL list files — which is expected — but the mismatch between docs and code and the presence of an apparent truncation/typo near the end of the script (an isolated 's' and truncated file content) are concerning and reduce confidence in correctness.
Install Mechanism
No install spec is provided (instruction-only installation) and the code file is included in the skill bundle. No remote downloads or archive extraction are used, which minimizes install-time risk.
!
Credentials
Only FIRECRAWL_API_KEY is used by the script (reasonable for a third-party scraping API), but the skill metadata did not declare any required env vars or a primary credential. The omission is a mismatch that could confuse users and cause them to unknowingly supply a secret without expecting to. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system-wide privileges. It does write output files when asked and reads user-provided files (schemas, URL lists), which is expected behavior.
What to consider before installing
This skill appears to be a Firecrawl API client, which requires you to provide a FIRECRAWL_API_KEY. Before installing: (1) Confirm the registry metadata is updated to list FIRECRAWL_API_KEY as a required/primary credential so you know what secret the skill needs. (2) Inspect and fix the included scripts — SKILL.md recommends installing 'requests' but the script uses urllib, and the script appears truncated/contains a stray character; ask the publisher for a corrected release. (3) Only provide an API key you trust the endpoint (https://firecrawl.dev) with; consider creating a limited-scope or replaceable key. (4) Because the skill contacts an external API, avoid supplying highly privileged credentials or long-lived tokens unless you trust the provider. If the author corrects the metadata and the script (removing the truncation and aligning docs with code), reassess — that would likely move this to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

crawlervk97bgb3wnskp36ngp4mnaxy5js83b3madata-extractionvk97bgb3wnskp36ngp4mnaxy5js83b3malatestvk97bgb3wnskp36ngp4mnaxy5js83b3maweb-scrapingvk97bgb3wnskp36ngp4mnaxy5js83b3ma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments