The Agent Skills Directory

EXTERNAL_DOWNLOADS (LOW): The skill documentation in rules/install.md requires the installation of the firecrawl-cli package from npm. While this is an external dependency, the risk is mitigated by the specification of a fixed version (1.4.1) and instructions for non-privileged installation to avoid using sudo.
COMMAND_EXECUTION (LOW): The skill relies on shell command execution to interface with the firecrawl tool. It provides guidance on safe execution, such as quoting URLs to prevent shell injection vulnerabilities.
INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest untrusted web data, presenting an attack surface for indirect prompt injection. It implements a robust mitigation strategy: (1) Ingestion points: scrape, crawl, search, and agent commands; (2) Boundary markers: Mandatory use of the -o flag to write output to the .firecrawl/ directory; (3) Capability inventory: Shell command execution and remote browser evaluation; (4) Sanitization: rules/security.md explicitly instructs the agent to use incremental reading (e.g., grep, head) rather than loading full scraped files into context.
DYNAMIC_EXECUTION (LOW): The browser command includes an eval <js> capability for browser automation. While this involves dynamic code execution, it is performed in a remote sandboxed environment managed by the service provider and is limited to the scope of web interaction.

firecrawl