Crawl4ai
ReviewAudited by ClawScan on May 10, 2026.
Overview
This web-scraping skill mostly matches its stated purpose, but its documentation includes bot-detection evasion advice and an unrelated GitHub login instruction that users should review before use.
Use this only for authorized scraping. Avoid the Cloudflare/proxy evasion advice unless you have explicit permission, do not run the GitHub login command for this skill, install any required crawl4ai dependency from a trusted pinned source, and run browser-based scraping in a sandbox with carefully chosen output paths.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this advice could violate website terms, bypass site protections, or get the user's IPs/accounts blocked.
This is explicit guidance for working around a site's bot-detection controls rather than merely handling ordinary scraping errors.
Cloudflare bot detection | Use residential proxy, vary user-agent
Only scrape sites where you have permission, respect robots.txt and terms of service, and avoid anti-bot evasion techniques unless you have explicit authorization.
A user might unnecessarily authenticate a GitHub account and leave a local session/token available to other tools.
GitHub CLI authentication is unrelated to the stated web-scraping purpose and could grant a local tool account credentials that this skill does not otherwise require.
Solution: ```bash gh auth login ```
Do not run `gh auth login` for this skill unless an independent, clearly scoped task actually requires GitHub access.
Unsafe or unreviewed JavaScript could interact with the loaded page or produce misleading extraction results.
The skill supports executing custom JavaScript in a headless browser; this is purpose-aligned for dynamic scraping but is still code execution in the browser context.
Custom JavaScript Injection ... js_code=custom_js, js_only=True
Review any custom JavaScript before running it, avoid logged-in or sensitive browser sessions, and prefer a sandboxed environment.
Users may need to install an unpinned external package to make the scripts work, which can introduce supply-chain risk.
The runnable scripts depend on an external `crawl4ai` package, while the supplied install information says there is no install spec, leaving dependency source and version outside the reviewed artifacts.
from crawl4ai import AsyncWebCrawler, BrowserMode
Install dependencies only from trusted sources, pin versions, and review the package provenance before running the scripts.