ClawHub

Firecrawl Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Firecrawl API wrapper for search, scraping, and crawling, with no evidence of hidden exfiltration, persistence, or destructive behavior.

Install only if you are comfortable sending search terms, URLs, and retrieved page content to Firecrawl under your API key. Avoid internal, private, token-bearing, or regulated URLs, and monitor Firecrawl quota or billing when using crawl commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or platforms may invoke a skill with capabilities they did not explicitly approve, increasing the risk of unintended secret exposure or external data transmission.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill sends user-supplied queries and URLs to an external web-scraping service, but the documentation does not warn users that their inputs and retrieved content may be transmitted to a third party. That omission can cause accidental disclosure of sensitive URLs, internal endpoints, tokens embedded in URLs, or proprietary content to the external provider.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
When a user supplies a URL, the script submits that URL and causes page content to be retrieved and processed by an external third-party service, but the runtime flow provides little explicit warning about that data transfer. In an agent-skill context, this can surprise users and lead to unintended disclosure of internal, sensitive, or access-controlled web content to Firecrawl.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal