Firecrawl Automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill requires registering an external MCP server from https://rube.app/mcp. This source is not on the trusted list, and registering third-party servers allows the execution of logic provided by that server within the agent's environment.
- Indirect Prompt Injection (LOW): The skill is designed to scrape and extract data from external, untrusted web pages using tools like FIRECRAWL_SCRAPE and FIRECRAWL_CRAWL_V2.
- Ingestion points: Content fetched from user-provided or crawled URLs.
- Boundary markers: None identified in the skill definition to delimit scraped content from instructions.
- Capability inventory: Web crawling, mapping, and AI-driven data extraction capabilities are exposed to the content.
- Sanitization: No specific sanitization or validation of the scraped content is described before it is processed by the AI.
- Data Exposure & Exfiltration (SAFE): No hardcoded credentials, API keys, or access to sensitive local files (e.g., SSH keys, .env) were detected.
Audit Metadata