firecrawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and README explicitly instruct the agent to fetch and scrape arbitrary public web pages and search results (e.g., "firecrawl scrape https://example.com", "firecrawl search ... --scrape", and reading .firecrawl/*.md outputs), so the agent will ingest untrusted third‑party content that can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches arbitrary external pages at runtime (e.g., "firecrawl scrape https://example.com") and its workflow/read patterns show scraped content may be read into the agent context (the anti-pattern warns about Read(.firecrawl/result.md)), so remote pages like https://example.com (representing user-supplied targets) can directly control prompts by injection of fetched content.