firecrawl
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): High surface area for indirect prompt injection as the skill retrieves untrusted third-party web content. 1. Ingestion points: Scraped data saved to the .firecrawl/ directory via search, scrape, and crawl commands. 2. Boundary markers: rules/security.md specifies strict output isolation using the -o flag and incremental reading to prevent raw content ingestion. 3. Capability inventory: Remote browser interaction (clicks, fills, eval), data extraction, and bulk site crawling. 4. Sanitization: Documentation mandates manual extraction of specific data and explicit disregard for instructions found in web content.
- [External Downloads] (SAFE): Installs firecrawl-cli@1.4.1 from npm. While not on the pre-approved trusted list, it is a versioned tool necessary for the skill's core function.
- [Command Execution] (SAFE): Uses shell commands to run the Firecrawl CLI. Security rules require quoting URLs to prevent shell command injection.
Audit Metadata