crawl4ai
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill prompt includes examples that pass session IDs and similar credentials directly on the command line (e.g., crwl ... -c "session_id=user_session") and references proxy/auth configuration, which encourages embedding secret values verbatim in commands/requests and thus creates an exfiltration risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). At runtime, the skill’s
/crawl4ai <url>path invokes Crawl4AI’s headless browser to fetch the user-supplied URL and then ingests the fetched page’s rendered text/HTML into the agent context as returned markdown (outsider-authored web content via network fetch + HTML→markdown conversion).
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill docs for literal high-entropy credentials. I found one likely real API key string:
- gsk_1ClHGGJ7Lpn4WGybR7vNWGdyb3FY7zXEw3SCiy0BAVM9lL8CQv
Why I flag it:
- It is a long, random-looking token (high entropy) and matches common API-key formatting (gsk_...).
- It is presented as an inline example value for LLMConfig.api_token (not as "env:" or a placeholder), so it appears to be an actual token rather than a generic placeholder.
Other potential-looking items I ignored (and why):
- sk-YOUR_API_KEY, sk-YOUR_API_KEY (placeholders) — documentation placeholders.
- "your-openai-token", "your-api-token" — obvious example placeholders.
- env:GEMINI_API_TOKEN, api_token = "env:GEMINI_API_TOKEN" — environment-variable reference, not a literal secret.
- Any short/simple strings (e.g., "openclaw", "1234", "clawd") — setup/example values per the ignore rules.
- Truncated/redacted forms (e.g., sk-...) — not flagged per rules.
Files/locations:
- The gsk_ token appears in the complete-sdk-reference.md examples (LLMConfig / LLM examples).
Because the gsk_ value is a literal, high-entropy token present in the docs, it meets the definition of a secret and should be treated as a leak.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata