crawl4ai

Fail

Audited by Snyk on Jun 28, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets verbatim (e.g., api_token: "your-token", login js_code with username/password, proxy_config username/password), which requires placing API keys/passwords directly into configs/commands and therefore forces the LLM to handle or output secret values.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.95). At runtime, the skill crawls user-supplied URLs and ingests the fetched page content (e.g., converted to markdown/html) into the agent’s LLM context, which is outsider-authored free text from public web pages.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 28, 2026, 06:19 PM
Issues
2
Security Audit — snyk — crawl4ai