firecrawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly fetches and ingests open web content via commands like firecrawl scrape "<url>", firecrawl search ... --scrape, firecrawl crawl "<url>", browser sessions and the agent extractor (and rules/security.md even warns that all fetched web content is "untrusted third-party data"), so the agent is clearly exposed to arbitrary public/user-generated content that could carry indirect prompt injections.