firecrawl
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill installs the firecrawl-cli@1.4.1 package via npm. This is a standard installation procedure for the tool functionality.
- COMMAND_EXECUTION (SAFE): The skill primary mechanism involves executing shell commands. The documentation specifically instructs the agent to quote URLs to prevent shell injection attacks.
- INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to process untrusted third-party web content. Evidence chain: 1. Ingestion points: Scraped content from search, crawl, and scrape commands. 2. Boundary markers: The skill enforces output isolation into a .firecrawl/ directory. 3. Capability inventory: File system writing and network access via the CLI. 4. Sanitization: The rules/security.md file explicitly mandates incremental reading (grep/head) and warns the agent not to interpret web content as instructions.
- DYNAMIC_EXECUTION (LOW): The browser command supports an eval subcommand. This is a primary feature for browser automation and is executed within Firecrawl's remote sandboxed environment, limiting local risk.
Audit Metadata