firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the 'firecrawl-cli' package from npm. While a specific version (1.4.1) is used, the package and its organization are not part of the pre-approved trusted sources list. (Evidence: rules/install.md)
- [REMOTE_CODE_EXECUTION] (MEDIUM): The 'firecrawl browser' command includes an 'eval' subcommand that allows for the execution of arbitrary JavaScript within a remote sandboxed browser environment. This is a high-risk capability if controlled by untrusted inputs. (Evidence: SKILL.md)
- [PROMPT_INJECTION] (LOW): The skill has a high surface area for indirect prompt injection as it ingests large amounts of untrusted third-party web content. (Evidence Chain: 1. Ingestion: scrape, search, crawl, agent commands in SKILL.md. 2. Boundary markers: Isolation to .firecrawl/ recommended in rules/security.md but not enforced. 3. Capability: Bash tool access. 4. Sanitization: Manual guidance provided in rules/security.md to ignore embedded instructions.)
- [COMMAND_EXECUTION] (LOW): The skill uses the Bash tool to execute CLI commands, which is its primary function but grants significant system interaction capabilities. (Evidence: SKILL.md)
Audit Metadata