cf-crawl Security Report — Low Risk | ClawSafe

15 /100

cf-crawl

Crawl websites using Cloudflare Browser Rendering /crawl API

This is a legitimate Cloudflare Browser Rendering API crawler with properly documented credentials handling, no obfuscation, and all network traffic confined to the intended Cloudflare API endpoint.

Skill Namecf-crawl

Duration51.3s

Enginepi

✓

Safe to install

Skill is safe to use. Ensure credential file permissions are restricted (chmod 600) and consider pinning jq version in any environment setup.

Findings 2 items

Severity	Finding	Location
Low	Minor documentation inconsistency Doc Mismatch poll.sh is referenced in examples but not explicitly shown in Quick Start usage examples. Minor UX issue, not a security concern. `bash ~/clawd/skills/cf-crawl/scripts/poll.sh <job-id>` → Consider adding poll.sh to Quick Start examples for completeness	`SKILL.md:32`
Low	jq dependency not version-pinned Supply Chain Scripts rely on jq being installed but do not pin a specific version or verify installation. `#!/usr/bin/env bash` → Add jq version check or document minimum version requirement	`scripts/crawl.sh:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	crawl.sh:line 218 - writes to --output file
Network	`READ`	`READ`	✓ Aligned	crawl.sh:line 132,138 - GET/POST to Cloudflare API
Shell	`WRITE`	`WRITE`	✓ Aligned	All scripts use bash; required for CLI functionality
Environment	`READ`	`READ`	✓ Aligned	crawl.sh:line 21 - sources cloudflare-crawl.env
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No direct browser control; uses Cloudflare's rendering service
Database	`NONE`	`NONE`	—	No database access

4 findings

🔗

Medium External URL 外部 URL

https://docs.example.com/

SKILL.md:58

🔗

Medium External URL 外部 URL

https://big-site.com

SKILL.md:78

🔗

Medium External URL 外部 URL

https://api.cloudflare.com/client/v4/accounts/

references/api-reference.md:5

🔗

Medium External URL 外部 URL

https://api.cloudflare.com/client/v4/accounts/$

scripts/crawl.sh:31

File Tree

4 files · 14.0 KB · 448 lines

Shell 2f · 270L Markdown 2f · 178L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 85L · 3.2 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 crawl.sh Shell 222L · 6.3 KB

│ └─ 🔧 poll.sh Shell 48L · 1.2 KB

└─ 📝 SKILL.md Markdown 93L · 3.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`curl`	`any`	system	No	Standard HTTP client
`jq`	`any`	system	No	JSON processor - version not pinned

Security Positives

✓ No obfuscation or base64-encoded payloads

✓ All network traffic confined to documented Cloudflare API endpoint

✓ No credential exfiltration - tokens only used for API authentication

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No environment variable enumeration (os.environ iteration)

✓ No remote script execution (curl|bash, wget|sh)

✓ Explicit credential documentation and storage location

✓ No reverse shell, C2, or data theft patterns

✓ Clean, readable shell scripts with proper error handling (set -euo pipefail)

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives