firecrawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and processes public, user-generated web content (see SKILL.md commands like search, scrape, map, crawl, browser and the AI-powered "agent" which ingest arbitrary URLs/pages), and rules/security.md even states that fetched web content is "untrusted third-party data," so these runtime workflows can enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches arbitrary external pages at runtime (e.g., the agent command: firecrawl agent "prompt" --urls "") and those fetched pages are used as AI extraction context, which can directly control prompts via injected content.