From firecrawl-pack
Apply FireCrawl security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing FireCrawl security configuration. Trigger with phrases like "firecrawl security", "firecrawl secrets", "secure firecrawl", "firecrawl API key security".
How this skill is triggered — by the user, by Claude, or both
Slash command
/firecrawl-pack:firecrawl-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security best practices for FireCrawl API keys, tokens, and access control.
Security best practices for FireCrawl API keys, tokens, and access control.
# .env (NEVER commit to git)
FIRECRAWL_API_KEY=sk_live_***
FIRECRAWL_SECRET=***
# .gitignore
.env
.env.local
.env.*.local
set -euo pipefail
# 1. Generate new key in FireCrawl dashboard
# 2. Update environment variable
export FIRECRAWL_API_KEY="new_key_here"
# 3. Verify new key works
curl -H "Authorization: Bearer ${FIRECRAWL_API_KEY}" \
https://api.firecrawl.com/health
# 4. Revoke old key in dashboard
| Environment | Recommended Scopes |
|---|---|
| Development | read:* |
| Staging | read:*, write:limited |
| Production | Only required scopes |
| Security Issue | Detection | Mitigation |
|---|---|---|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |
const clients = {
reader: new FireCrawlClient({
apiKey: process.env.FIRECRAWL_READ_KEY,
}),
writer: new FireCrawlClient({
apiKey: process.env.FIRECRAWL_WRITE_KEY,
}),
};
import crypto from 'crypto';
function verifyWebhookSignature(
payload: string, signature: string, secret: string
): boolean {
const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
.env files in .gitignoreinterface AuditEntry {
timestamp: Date;
action: string;
userId: string;
resource: string;
result: 'success' | 'failure';
metadata?: Record<string, any>;
}
async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
const log: AuditEntry = { ...entry, timestamp: new Date() };
// Log to FireCrawl analytics
await firecrawlClient.track('audit', log);
// Also log locally for compliance
console.log('[AUDIT]', JSON.stringify(log));
}
// Usage
await auditLog({
action: 'firecrawl.api.call',
userId: currentUser.id,
resource: '/v1/resource',
result: 'success',
});
For production deployment, see firecrawl-prod-checklist.
npx claudepluginhub aiminnovations/claude-code-plugins-plus --plugin firecrawl-packGuides collaborative design exploration before implementation: explores context, asks clarifying questions, proposes approaches, and writes a design doc for user approval.
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
Synthesizes the current conversation into a structured spec (PRD) and publishes it to the project issue tracker with a ready-for-agent label, without interviewing the user.
4plugins reuse this skill
First indexed Jul 11, 2026