As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere?

Watch your logs. I was astounded to see hackbots start probing my home computer’s webserver, mostly for PHP vulnerabilities, within something like 20 minutes of opening port :80 to the outside.

I’m not trying to pile on. eval can be dangerous but the way you’re setting things up is probably safe for your intended use. If you were a bank or something, no. When I open personal stuff up to the outside I sometimes pseudo-firewall with IP filtering in the app (plack middleware) and always use htaccess with SSL enforced (also easy with middleware).