Firecrawl CLI for web scraping, crawling, and search. Scrape single pages or entire websites, map site URLs, and search the web with full content extraction. Returns clean markdown optimized for LLM context. Use for research, documentation extraction, competitive intelligence, and content monitoring.
Security Analysis
high confidenceThe skill's instructions expect an API key and recommend installing an npm package, but the registry metadata doesn't declare any required credentials or a source/homepage — this mismatch and the unknown package origin are reasons for caution.
Name/description match a web-scraping CLI and the SKILL.md instructs use of a firecrawl CLI (search/scrape/crawl). However the skill metadata declares no required credentials or binaries while the instructions repeatedly reference FIRECRAWL_API_KEY and an npm package (firecrawl-cli). The missing declaration of the API key and the absent source/homepage make the declared capabilities and the requested setup inconsistent.
Runtime instructions direct the agent/user to install an npm package, run authentication (including a browser-based login that 'automatically opens the browser'), create a .firecrawl directory, and prompt the user to paste API keys if needed. The instructions therefore ask the agent to request and handle a sensitive secret (API key) and to open the user's browser — actions outside of simple 'read a URL' behavior and which should be explicit and consented to. The SKILL.md also tells agents to ask the user for credentials using an ask-user tool, which is appropriate only if the user is aware of the sensitivity.
There is no install spec in the registry (instruction-only), but SKILL.md advises `npm install -g firecrawl-cli`. Installing from npm is a common pattern, but the package's source/homepage is not provided and 'Source: unknown' in the registry means the package origin and trustworthiness are unclear. This is a moderate risk — verify the npm package and inspect its code before installing.
The instructions require FIRECRAWL_API_KEY and describe setting it in shell profiles, but the skill metadata lists no required env vars or primary credential. That mismatch is problematic: the runtime behavior expects a sensitive secret while the manifest does not declare it. No other unrelated credentials are requested, but asking users to paste API keys into an agent workflow is a sensitive operation and should be highlighted to the user.
always is false and there are no required config paths beyond a local .firecrawl directory (which the instructions explicitly confine to the working directory and request adding to .gitignore). The skill does not request system-wide privileges or alter other skills' configs. Note: disable-model-invocation is false (normal), so the agent could invoke the skill autonomously — combine with other concerns when deciding whether to allow autonomous invocation.
Guidance
This skill advises installing an npm package (firecrawl-cli) and expects a FIRECRAWL_API_KEY, but the registry metadata doesn't declare that key or provide a source/homepage. Before installing or providing secrets: 1) Verify the npm package (check its npm page, repository, and homepage); inspect the package code or source repository for malicious behavior. 2) Prefer the browser-based login flow over pasting API keys into chat; never paste secrets into an LLM conversation. 3) If you must provide an API key, consider using a short-lived key or scoped key and avoid adding it to shared shell profiles. 4) Disable autonomous invocation or require explicit user confirmation if you don't want the agent to perform installs, open your browser, or attempt logins by itself. 5) Be aware that large-scale scraping can have legal/ToS implications and may consume paid credits — verify pricing/limits on the official provider site before running crawls.
Latest Release
v1.0.0
Initial release of Firecrawl CLI with full documentation. - Introduces the firecrawl command-line tool for web scraping, crawling, site mapping, and search. - Supports extracting clean markdown, HTML, links, screenshots, and JSON, optimized for LLM context windows. - Provides authentication, credit management, and result storage conventions. - Includes detailed command usage examples for search, scrape, crawl, and map operations. - Offers extensive filtering and formatting options for each command.
Popular Skills
Published by @firecrawl on ClawHub
