firecrawl
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches content from arbitrary external websites and processes it via the Firecrawl API, returning the results to the agent's context. This presents a surface for malicious instructions embedded in web content to influence the agent's behavior.
- Ingestion points: Functions
scrape,crawl, andsearchinscripts/firecrawl.shretrieve external data. - Boundary markers: Absent. The instructions do not specify any delimiters or warnings to the agent to disregard instructions within the scraped data.
- Capability inventory: The skill has access to the
Bashtool,Read,Write, andEditpermissions, and performs network operations viacurl. - Sanitization: The script uses
jqto parse API responses, but the actual content (markdown or text) is returned to the agent without sanitization. - [COMMAND_EXECUTION]: The skill implements its logic through a Bash script (
scripts/firecrawl.sh) which is executed with user-provided arguments such as URLs and search queries. - [CREDENTIALS_UNSAFE]: The script programmatically accesses a sensitive API key using the local
passpassword manager (pass show api/firecrawl). While this is a common method for CLI tools to manage secrets, it allows the agent to retrieve managed credentials.
Audit Metadata