crawl4ai
Fail
Audited by Snyk on Jun 13, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples of API tokens, proxy credentials, and login passwords embedded directly into config files and YAML (e.g., api_token: "your-token", proxy username/password, js_code with password), which would require the agent to accept, store, or emit secret values verbatim.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). The skill’s runtime crawl path fetches arbitrary public web pages/URLs and converts their HTML into markdown (e.g.,
crwl <url>/AsyncWebCrawler.arun(url)→result.markdown), so outsider-authored free text from those pages is ingested into the agent’s LLM context via the produced markdown/content.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill documentation for high-entropy, literal credentials.
Flagged:
- Found a high-entropy API token: gsk_1ClHGGJ7Lpn4WGybR7vNWGdyb3FY7zXEw3SCiy0BAVM9lL8CQv This appears in the LLMConfig / Complete SDK Reference examples (LLMConfig section). It is long, random-looking, and uses a "gsk_" prefix consistent with real API tokens — not a generic placeholder — so it meets the definition of a secret.
Ignored items (not flagged) and why:
- "sk-YOUR_API_KEY", "your-token", "your-api-token", "sk-YOUR_API_KEY", "your-openai-token" etc. — documentation placeholders (explicitly example values).
- "user", "pass" and similar short strings used in examples (proxy_config, login examples) — low-entropy setup/example values.
- Environment variable references like "env:GEMINI_API_TOKEN" or os.getenv("OPENAI_API_KEY") — names only, no secret value present.
- Any truncated/redacted forms or clearly labeled sample values — treated as placeholders per the rules.
Because the gsk_... string is a complete, high-entropy token and not marked as a placeholder, I mark it as a real secret present in the documentation.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata