ClawHub

firecrawl api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Firecrawl skill whose external API use is expected and disclosed, with reasonable safety guidance for keys, scraping scope, and untrusted content.

Install only if you intend to use Firecrawl as a third-party scraping service. Configure FIRECRAWL_API_KEY securely, do not scrape private/internal/tokenized URLs unless you are authorized and intentionally sending them to Firecrawl, set crawl limits to control cost, and treat scraped content as untrusted reference data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs sending a user-supplied URL to Firecrawl's external API, but it does not warn that the target URL and related request context will be disclosed to a third party. This creates a privacy and data-handling risk, especially if users provide internal, sensitive, or tokenized URLs that should not leave the local trust boundary.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recipe instructs sending a user-supplied root URL and retrieving page content through a third-party service, but it does not explicitly warn about privacy, data handling, or consent requirements. In practice this can cause users to transmit internal, sensitive, or regulated site content to Firecrawl without realizing a non-local processor is involved.

External Transmission

Medium
Category
Data Exfiltration
Content
## Request shape

```json
POST https://api.firecrawl.dev/v2/scrape
Authorization: Bearer $FIRECRAWL_API_KEY
Content-Type: application/json
Confidence
83% confidence
Finding
https://api.firecrawl.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
## Example
```bash
# 1) Start
JOB=$(curl -s -X POST https://api.firecrawl.dev/v2/crawl \
  -H "Authorization: Bearer $FIRECRAWL_API_KEY" -H "Content-Type: application/json" \
  -d '{"url":"https://docs.firecrawl.dev","limit":25,"includePaths":["/features/"]}')
ID=$(echo "$JOB" | jq -r '.id')
Confidence
85% confidence
Finding
curl -s -X POST https://api.firecrawl.dev/v2/crawl \ -H "Authorization: Bearer $FIRECRAWL_API_KEY" -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Steps
1. Load the API key; abort if missing.
2. **Start the job**: POST `https://api.firecrawl.dev/v2/crawl` with `{ "url": url, "limit": limit }` (plus optional path scoping). Response returns an `id` (and a status URL).
3. **Poll**: GET `https://api.firecrawl.dev/v2/crawl/{id}` repeatedly with the Bearer header.
4. Inspect each poll response: `status` (`scraping` / `completed` / `failed`), `completed`, `total`, and `data[]` (pages so far).
5. Wait between polls with backoff (e.g., 2s → 5s → 10s, capped). Do NOT tight-loop.
Confidence
84% confidence
Finding
https://api.firecrawl.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
## Steps
1. Load the API key; abort if missing.
2. **Start the job**: POST `https://api.firecrawl.dev/v2/crawl` with `{ "url": url, "limit": limit }` (plus optional path scoping). Response returns an `id` (and a status URL).
3. **Poll**: GET `https://api.firecrawl.dev/v2/crawl/{id}` repeatedly with the Bearer header.
4. Inspect each poll response: `status` (`scraping` / `completed` / `failed`), `completed`, `total`, and `data[]` (pages so far).
5. Wait between polls with backoff (e.g., 2s → 5s → 10s, capped). Do NOT tight-loop.
6. Stop when `status === "completed"` (or `failed`). Handle pagination if the result set is large (follow `next` if present).
Confidence
83% confidence
Finding
https://api.firecrawl.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
## Example
```bash
# 1) Start
JOB=$(curl -s -X POST https://api.firecrawl.dev/v2/crawl \
  -H "Authorization: Bearer $FIRECRAWL_API_KEY" -H "Content-Type: application/json" \
  -d '{"url":"https://docs.firecrawl.dev","limit":25,"includePaths":["/features/"]}')
ID=$(echo "$JOB" | jq -r '.id')
Confidence
85% confidence
Finding
https://api.firecrawl.dev/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal