ClawHub

Firecrawl Scrape

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Firecrawl webpage-scraping skill, with expected external URL fetching and local output files.

Install this if you want an agent to use Firecrawl for webpage extraction. Be careful with URLs that include secrets, private documents, internal hosts, or sensitive query parameters, because requested pages may be processed by Firecrawl and saved into local .firecrawl files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes broad trigger phrases like 'fetch', 'get the page', and 'read this webpage', which overlap with common user requests and can cause the agent to invoke this skill more often than users likely intend. Because the skill sends user-provided URLs to an external scraping service and can write retrieved content to local files, overbroad routing increases the chance of unnecessary external data disclosure and unexpected file creation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documentation omits a clear warning that using the skill transmits user-supplied URLs and page fetches to an external Firecrawl service and stores results in local output files such as .firecrawl/page.md. This reduces informed consent and can expose sensitive URLs, query parameters, internal endpoints, or scraped content unexpectedly, especially when users do not realize a third-party service and local persistence are involved.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal