firecrawl-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted web content via
firecrawl scrape,search, andcrawlfor LLM consumption. \n - Ingestion points: Scraped data from web sources enter the agent context via the CLI commands in
SKILL.md. \n - Boundary markers: Absent; the skill does not instruct the agent to use delimiters or ignore instructions within the scraped markdown. \n
- Capability inventory: The agent can write files (
-o), perform network requests, and execute shell commands. \n - Sanitization: Absent; the content is described as "clean markdown" but lacks safety filtering for embedded prompt instructions. \n- Command Execution (HIGH):
SKILL.mdincludes a parallelization example usingxargsandsh -cthat interpolates variables directly into a shell string (sh -c 'firecrawl scrape "{}" ...'). This allows for arbitrary command injection if the source list contains malicious characters. Additionally,rules/install.mdsuggests usingsudofor installation, which is a high-severity privilege escalation finding. \n- External Downloads (MEDIUM): The skill requires the global installation of thefirecrawl-clipackage from npm, which is an external and unverifiable dependency at the time of analysis. \n- Persistence Mechanisms (HIGH):rules/install.mdrecommends modifying user shell profiles (~/.bashrcor~/.zshrc) to store environment variables, which is a common persistence vector.
Recommendations
- AI detected serious security threats
Audit Metadata