Back to skill

Security audit

Crawl4ai Docker Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed helper skill for a local Crawl4AI web crawler, with normal crawler, credential, and LLM privacy risks but no hidden or destructive behavior in the artifacts.

Install only if you intend to run a local crawler service. Restrict access to port 11235, pin the Docker image instead of using latest, protect .llm.env API keys, avoid crawling internal or authenticated pages unless intended, and do not use LLM extraction on sensitive content unless you accept the provider’s data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to configure third-party LLM credentials and use intelligent extraction on crawled content, but it does not warn that page content, prompts, and possibly metadata may be transmitted to external providers. In a web-crawling skill, this omission can lead users to unknowingly send sensitive or copyrighted material off-host, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The LLM extraction section instructs users to send crawled page content to third-party LLM providers such as OpenRouter, but it does not warn that scraped content, prompts, metadata, and possibly sensitive page data may leave the local environment. In a web-scraping skill, this is especially risky because users may process internal, copyrighted, personal, or confidential material and unintentionally transmit it to external vendors.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `.llm.env` instructions show API key placement but omit guidance on secure credential handling, such as excluding the file from version control, limiting file permissions, and avoiding accidental exposure in logs or prompts. Because this skill integrates paid external providers, mishandled keys can lead to account compromise, billing abuse, and unauthorized data access.

External Transmission

Medium
Category
Data Exfiltration
Content
local strategy="${2:-markdown}"
    
    echo "🌐 抓取网页: $url"
    curl -s -X POST "$CRAWL4AI_URL/crawl" \
        -H "Content-Type: application/json" \
        -d "{\
            \"urls\": [\"$url\"],\n            \"extraction_strategy\": \"$strategy\"\n        }" | jq .
Confidence
92% confidence
Finding
curl -s -X POST "$CRAWL4AI_URL/crawl" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🤖 LLM 智能提取: $url"
    echo "指令: $instruction"
    
    curl -s -X POST "$CRAWL4AI_URL/crawl" \
        -H "Content-Type: application/json" \
        -d "{\
            \"urls\": [\"$url\"],\n            \"extraction_strategy\": {\n                \"type\": \"llm\",\n                \"provider\": \"$provider\",\n                \"instruction\": \"$instruction\",\n                \"max_tokens\": $max_tokens\n            }\n        }" | jq .
Confidence
96% confidence
Finding
curl -s -X POST "$CRAWL4AI_URL/crawl" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
local url="$1"
    
    echo "📸 生成网页截图: $url"
    curl -s -X POST "$CRAWL4AI_URL/screenshot" \
        -H "Content-Type: application/json" \
        -d "{\
            \"url\": \"$url\",\n            \"options\": {\n                \"full_page\": true,\n                \"quality\": 80\n            }\n        }" | jq .
Confidence
90% confidence
Finding
curl -s -X POST "$CRAWL4AI_URL/screenshot" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.