Firecrawl CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a transparent Firecrawl CLI reference for web scraping and browser automation, but it requires trusting an external CLI, Firecrawl credentials, and optional browser-session state.
Before installing, verify the Firecrawl CLI package, use a dedicated API key if possible, set crawl limits, confirm any browser actions that could change website state, and avoid reusing browser profiles that contain sensitive logins unless that is intentional.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global CLI means trusting that npm package to run on the local machine during install and use.
The skill requires installing a global npm package outside the artifact set. This is expected for a CLI integration, but users should verify the package source before installing.
npm install -g firecrawl-cli
Install only from the official Firecrawl package/source, consider pinning a version, and run it with least-privileged local permissions.
The agent may use a Firecrawl account/API key and consume credits while scraping, crawling, searching, or running browser sessions.
The skill uses Firecrawl account authentication and may consume account credits. This is expected for the service, but it is not reflected in the registry credential declarations.
Requires firecrawl-cli installed ... and authentication (firecrawl login or FIRECRAWL_API_KEY env var).
Use a dedicated Firecrawl API key where possible, monitor credit usage, and revoke/logout credentials when no longer needed.
Unbounded crawls or browser actions could consume credits, interact with websites, or perform actions the user did not intend.
The reference exposes broad crawling and cloud browser automation, including click/fill actions and Python/JavaScript execution in the browser session. These are aligned with the stated purpose but can be high-impact if used without clear user direction.
firecrawl crawl https://example.com --crawl-entire-domain --wait ... firecrawl browser execute "click @e5" ... firecrawl browser execute --python 'await page.goto(...)'
Use explicit target URLs, crawl limits, and user confirmation before large crawls, form submissions, account actions, or other non-read-only browser automation.
A reused browser profile may retain cookies or other session state, which can affect later automation and expose sensitive account context to future tasks.
Saved browser profiles can persist browser state across sessions. If used after logging into sites, that state may include sensitive session information.
firecrawl browser launch-session --profile myprofile # Save/reuse browser state
Use throwaway profiles for general scraping, avoid logging into sensitive accounts unless necessary, and clear/logout browser state after use.