XCrawl
Security checks across static analysis, malware telemetry, and agentic risk
Overview
XCrawl is a coherent instruction-only integration for calling XCrawl’s scraping API, but users should protect the API key, review optional cookies/headers/webhooks, and treat scraped output as untrusted.
Before installing, verify you trust the XCrawl service and account dashboard, store the API key carefully, and only provide URLs, cookies, headers, or webhooks that you are comfortable sending to XCrawl. The supplied SKILL.md excerpt was truncated, so this review is based on the visible artifacts only.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the agent can run curl/node commands for XCrawl requests and has tools that could read or edit local files if used outside the documented workflow.
The skill grants command execution through curl/node and also file tools. This is largely consistent with an instruction-only API integration, but the file tools are broader than the core scrape call.
allowed-tools: Bash(curl:*) Bash(node:*) Read Write Edit Grep
Approve only XCrawl-related commands and keep any file reads/writes limited to the intended config or user-requested output.
Requests made through the skill can consume XCrawl credits and act under the user's XCrawl API key.
The skill uses a local XCrawl API key to authenticate requests. This is expected for the service, but it gives the agent access to the user's XCrawl account quota.
Path: `~/.xcrawl/config.json` ... `"XCRAWL_API_KEY": "<your_api_key>"` ... `Authorization: Bearer <XCRAWL_API_KEY>`
Store the key securely, use the least-privileged or revocable key available, and monitor XCrawl credit usage.
Supplying login cookies, authorization headers, or a webhook could expose private page access or scraped results to XCrawl and/or the webhook destination.
The documented API options allow user-supplied cookies, headers, and webhooks to be included in XCrawl requests. These can carry sensitive session data or route results to another endpoint if the user chooses to use them.
`cookies` | object map ... `headers` | object map ... `webhook` | object | ... Async webhook config
Avoid sending session cookies or authorization headers unless necessary, confirm webhook destinations, and do not scrape private account pages unless you understand the data-sharing implications.
A malicious webpage could include text that tries to influence the agent if the scraped response is later summarized or acted on.
Raw scraped web content can contain untrusted instructions or misleading text. The skill does not appear to make that text authoritative, but downstream agents should treat it as data.
Default behavior is raw passthrough: return upstream API response bodies as-is.
Treat scraped page content as untrusted input and do not follow instructions found inside retrieved webpages unless the user explicitly asks.