firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the user to install the 'firecrawl-cli' package globally from npm. This is an external dependency from a source not explicitly listed as trusted, posing a risk of unverifiable code execution during installation.\n- REMOTE_CODE_EXECUTION (MEDIUM): The 'firecrawl browser execute' command allows for the execution of arbitrary scripts in Python, Node.js, and Bash. Although the documentation states this occurs in a remote sandbox, it provides a high-risk vector for dynamic code generation and execution.\n- COMMAND_EXECUTION (LOW): The skill examples utilize shell-specific features such as background execution ('&') and 'wait' for parallel processing, which increases the complexity of command auditing.\n- PROMPT_INJECTION (LOW): The skill is inherently vulnerable to indirect prompt injection due to its primary function of scraping web data.\n
- Ingestion points: Untrusted content is brought into the agent context via 'scrape', 'search', and 'crawl' commands.\n
- Boundary markers: No delimiters or isolation instructions are provided to protect the LLM from instructions embedded in the scraped Markdown.\n
- Capability inventory: The skill possesses the ability to execute CLI commands and write files to the local '.firecrawl/' directory.\n
- Sanitization: No sanitization or filtering of the external Markdown content is performed.
Audit Metadata