Initialize or update a knowledge base for a project, business, or client. Triggers on "init kb", "build kb", "create kb for X", "set up kb", "new kb" (init),...
Security Analysis
medium confidenceThe skill's purpose (building a scraped knowledge base via Firecrawl) is plausible, but there are multiple internal inconsistencies and some unclear handling of sensitive data (API key and scraped content) that you should review before installing.
The declared purpose — scrape sites/social profiles via Firecrawl and build KB files — matches the instructions. However the skill metadata and docs disagree about basic facts (SKILL.md describes 9 KB files, WALKTHROUGH.md repeatedly describes 7 files and different filenames; registry metadata lists version 2.0.0 while _meta.json shows 1.0.0). Also the skill uses an external Firecrawl API key but the registry 'requires.env' is empty (FIRECRAWL_API_KEY is referenced in runtime instructions but not declared). These mismatches are incoherent and should be clarified.
The SKILL.md instructs the agent to: check for FIRECRAWL_API_KEY (env var or .firecrawl/api-key.txt), save a provided key into .firecrawl/api-key.txt, scrape full websites and social profiles and store cached crawl data under .firecrawl/, and offer snippets to add to project AGENTS.md/CLAUDE.md. Storing scraped pages and social content in workspace cache can include sensitive/PII data — the skill will write these files to disk. There are also contradictory instructions about on-demand loading vs adding a boot sequence to load KBs at startup. These behaviors extend the skill's scope (local file writes, long-lived cached data, and suggested config changes) and should be confirmed.
Instruction-only skill with no install spec and no code files — lowest install risk. The runtime relies on Firecrawl REST API (via curl) which is expected for a scraper-based KB builder.
The skill requires a Firecrawl API key to function (FIRECRAWL_API_KEY) but the registry metadata lists no required environment variables or primary credential — an omission. The instructions also recommend saving the key into the user's shell rc (e.g., ~/.zshrc) and into .firecrawl/api-key.txt, creating multiple persistent copies of the secret. Persisting API keys and scraped crawl data in the workspace is functionally necessary but sensitive; the skill's declarations should explicitly request the credential and document storage and retention policies.
The skill is not 'always: true' and is user-invocable (normal). It will persist data in the workspace (.firecrawl/, site-content/, generated KB files) and suggests adding config snippets to AGENTS.md/CLAUDE.md. Persisting cached scrapes and API keys in the project is powerful but expected for a KB builder — just be aware of the long-lived data and potential auto-load configuration (which the docs contradict).
Guidance
Before installing or running this skill: (1) Confirm you trust the Firecrawl service and the skill author — this skill scrapes external sites and stores the full results in .firecrawl/ and site-content/ (may include PII). (2) Do not paste your Firecrawl API key into an open chat; prefer setting it in your environment and review .firecrawl/api-key.txt after the skill runs. (3) Ask the author to fix metadata inconsistencies (declared required env vars, exact KB filenames/count, and version numbers) and to clearly document where API keys and cached data are stored and how to delete them. (4) Verify whether the skill will modify AGENTS.md to auto-load the KB — that conflicts with its 'on-demand only' claim; if you don't want auto-loading, decline adding boot snippets. (5) Run the first runs in an isolated project or sandbox and review all generated files before sharing. (6) Check cost/credit prompts before allowing a full crawl (the skill says it will ask but verify during use).
Latest Release
v2.0.0
CRITICAL FIX: KB files now load on-demand only, never at boot. Prevents context bloat in multi-project workspaces. Updated Phase 7 integration guidance to enforce on-demand loading pattern. All end users must update to prevent massive context waste.
Popular Skills
Published by @kevjade on ClawHub
