firecrawl
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the
firecrawl-clipackage from the NPM registry during its setup phase usingnpm install -gandnpxcommands. - [REMOTE_CODE_EXECUTION]: The installation instructions include running an initialization script via
npx firecrawl-cli init, which fetches and executes code directly from a remote repository. Additionally, thebrowsercommand facilitates dynamic code execution through anevalsub-command within a remote browser environment. - [COMMAND_EXECUTION]: The skill is granted permission to run arbitrary
firecrawlandnpx firecrawlcommands via the Bash shell. This includes interacting with a remote Chromium instance where arbitrary JavaScript can be executed. - [PROMPT_INJECTION]: The skill is designed to process untrusted third-party data from the web, creating an attack surface for indirect prompt injection.
- Ingestion points: Web content fetched via
firecrawl scrape,firecrawl search, andfirecrawl crawlas defined inSKILL.md. - Boundary markers: The skill suggests isolating output in a
.firecrawl/directory and utilizing incremental reading techniques (e.g.,grep,head) as documented inrules/security.md. - Capability inventory: Broad Bash command execution, file system writes to the
.firecrawl/directory, and JavaScript evaluation (eval) in the browser tool. - Sanitization: The skill lacks automated sanitization of fetched content, relying on manual inspection guidelines.
- [CREDENTIALS_UNSAFE]: Authentication procedures documented in
rules/install.mdinvolve passing sensitive API keys as command-line arguments (--api-key "<key>"), which can expose them in shell history, logs, or process monitors.
Audit Metadata