Add Spider Cloud plugin (MCP server + skills)

[gbertb]

What this PR does

Adds the Spider Cloud plugin — web crawling, scraping, search, and remote browser automation for Grok Build via the hosted Spider MCP server (anti-bot bypass, proxy rotation, AI extraction).

• Plugin name: spider
• Type: remote source
• Source URL + pinned SHA: https://github.com/spider-rs/spider-grok-plugin.git @ d2184669d1576562bebc3c9d7a2591c798d34f1b
• Homepage: https://spider.cloud/mcp

Ships 1 MCP server (hosted, HTTP) + 3 skills (spider overview/tool-guide, spider-crawl-scrape, spider-browser).

Ownership

• I own this plugin or have the right to distribute it.
• The source repo is published under our official org — spider-rs (the official Spider org, same org as the spider/spider-rs crates and tooling).

Checklist

• Added exactly one entry in .grok-plugin/marketplace.json (valid JSON, kebab-case name).
• Remote source pins a full 40-char lowercase commit sha; the commit is public + reachable.
• Regenerated .grok-plugin/plugin-index.json.
• python3 scripts/validate-catalog.py passes locally.
• python3 scripts/generate-plugin-index.py --check passes locally.
• homepage + clear description set.
• License is stated (MIT).

Security

• No curl | bash, remote-code download/exec, or postinstall RCE. The plugin is a hosted MCP config + markdown skills; it ships no executable scripts and no hooks.
• No reading/exfiltration of secrets, tokens, .env, or env vars. The only credential used is SPIDER_API_KEY, sent solely as the Authorization: Bearer header to the Spider endpoint.
• Hooks and MCP scope are least-privilege. No hooks; a single scoped HTTP MCP server (no shell-exec server).
• Network endpoints this plugin calls (and why): https://mcp.spider.cloud/mcp only — the official Spider Cloud hosted MCP server that provides the crawl/scrape/search/browser tools.
• Credentials/permissions it requires (and why): SPIDER_API_KEY — the user's Spider API key (https://spider.cloud/api-keys), required to authenticate to the hosted MCP server. Supplied via env-var interpolation (Bearer ${SPIDER_API_KEY}) so no secret is committed.

Notes for reviewers

Source repo spider-rs/spider-grok-plugin is under the official Spider org. The same hosted Spider MCP server is also published in the official MCP Registry as cloud.spider/mcp (DNS-verified on spider.cloud). This mirrors the structure of the existing firecrawl entry (hosted web-data MCP); the difference is Spider authenticates with a Bearer API key rather than OAuth.

[gbertb]

Shows up fine in grok plugins (repo install):