firecrawl-cli

This skill/documentation describes a legitimate-looking CLI for web search and scraping that requires an API key and sends scraped content to a backend service. I found no direct evidence of malware (no obfuscated payloads, no curl|bash download-execute chains, no embedded hardcoded secrets). The main risks are data/credential exposure and supply-chain considerations: scraped content (including potentially sensitive pages) and user credentials will be transmitted to the Firecrawl service; npm install is unpinned; and user-facing shell examples encourage patterns (xargs, sh -c) that can lead to shell injection if used carelessly. Overall this appears functionally coherent with its purpose but carries moderate privacy and operational risk depending on trust in the remote service and how users handle keys and outputs.