flaresolverr
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Pulls the official FlareSolverr container image (ghcr.io/flaresolverr/flaresolverr) from the GitHub Container Registry, which is a trusted service.
- [COMMAND_EXECUTION]: Uses 'docker run', 'docker start', and 'docker stop' to manage the local service lifecycle. Interacts with the service via 'curl' on localhost.
- [PROMPT_INJECTION]: Fetches HTML content from untrusted external URLs, presenting a surface for indirect prompt injection (Category 8).
- Ingestion points: The 'flaresolverr-fetch.sh' script outputs raw HTML from scraped websites directly to the console.
- Boundary markers: Absent; the skill returns the full HTML document without delimiters or safety instructions.
- Capability inventory: The agent has access to system commands (docker, curl) and python for processing the returned data.
- Sanitization: No sanitization or filtering is performed on the scraped content by the skill's scripts.
- [REMOTE_CODE_EXECUTION]: Automated scans flagged a pattern where 'curl' output is piped to 'python3'. This was investigated and found to be restricted to 'localhost' for JSON formatting ('python3 -m json.tool') or data extraction from the local FlareSolverr status endpoint, which does not constitute a remote code execution vulnerability from an untrusted source.
Audit Metadata