Back to plugin

Security audit

CRW Web Scraper

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, configuration, and runtime instructions are consistent with a web-scraping tool and do not request unrelated credentials or hidden access; the only notable risks are typical (using a cloud endpoint and the SKILL.md's curl | bash install recommendation).

This plugin appears coherent for web scraping: it talks to a configurable CRW service (fastcrw.com by default) or a self-hosted instance and only needs an optional API key. Before installing: (1) decide whether to use the cloud service (fastcrw.com) — that will route scraped pages through a third party and requires trusting their handling of the data and an API key; (2) avoid blindly running the suggested curl | bash install.sh without inspecting the install.sh contents — prefer reviewing the script or using the published GHCR image if you want self-hosting; (3) if you plan to use the cloud option, treat the API key as sensitive and limit its scope; (4) if you require stronger assurance, review the referenced install script and the upstream crw project source and optionally run the self-hosted binary in an isolated environment.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.