Firecrawl Web Scraper
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Firecrawl scraper, but it uses a Firecrawl API key, shares requested URLs or search queries with Firecrawl, and can spend API credits.
This skill is reasonable to install if you intend to use Firecrawl. Before using it, provide only the Firecrawl API key you want it to use, set crawl/search limits to avoid unexpected credit use, avoid private or internal URLs unless you are comfortable sending them to Firecrawl, and treat scraped web content as untrusted input.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Broad crawls or searches may consume Firecrawl credits and retrieve more web content than intended.
The skill can launch multi-page crawls through a credit-metered API. This is expected for a web scraper, but users should set limits intentionally.
python3 scripts/scrape.py --crawl https://docs.example.com --depth 2 --limit 10 ... Crawl: 1 credit per page crawled
Use explicit low limits for crawls/searches, confirm targets before running, and monitor Firecrawl credit usage.
Installing and using the skill gives it access to the configured Firecrawl account and its available credits.
The script reads a Firecrawl API key from local secret paths or an environment variable, then uses it as a bearer token for Firecrawl API calls.
possible_paths = ["workspace/secrets/firecrawl_api_key", "secrets/firecrawl_api_key", ...]; return os.getenv("FIRECRAWL_API_KEY")Use a scoped Firecrawl key if available, rotate it if exposed, and only provide a key you intend this skill to use.
Users have less provenance information and may need to verify local Python dependencies themselves.
The package includes runnable code, but the registry provenance and install/dependency metadata are sparse.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... 1 code file(s): scripts/scrape.py
Inspect the included script before use and prefer adding clear source, homepage, binary, dependency, and credential declarations.
A scraped page could include text that tries to manipulate the agent or distort downstream analysis.
The skill is designed to feed scraped website text into an AI workflow, and arbitrary web pages may contain untrusted instructions or misleading content.
Convert HTML to clean markdown for LLM processing ... Perfect for RAG, summarization, analysis
Treat scraped content as untrusted data and do not follow instructions embedded in web pages unless the user explicitly approves.
The target URLs, search queries, and related request metadata are shared with Firecrawl.
Requested URLs and scrape options are sent to Firecrawl's external API, which is core to the skill's function.
payload = {"url": url, ...}; requests.post("https://api.firecrawl.dev/v1/scrape", ... json=payload, ...)Avoid submitting private, internal, or confidential URLs or queries unless sharing them with Firecrawl is acceptable.