firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires installing
firecrawl-cli@1.4.1from npm. This is an external dependency from a non-whitelisted source. - DYNAMIC_EXECUTION (MEDIUM): The skill utilizes
firecrawl browser executewith--python,--node, and--bashflags. While documented as running in a remote sandboxed environment, this provides a mechanism for script generation and execution based on agent-generated or user-provided input. - PROMPT_INJECTION (LOW): The skill is designed to ingest untrusted third-party data from the web (Category 8). This creates a surface for indirect prompt injection where malicious instructions in scraped content could influence the agent.
- Ingestion points:
firecrawl scrape,firecrawl search, andfirecrawl crawlsave data to the.firecrawl/directory. - Boundary markers: The skill documentation advises the agent to use
-oto write results to files and use incremental reading (grep/head) to avoid direct context injection. - Capability inventory: The agent can execute shell commands, read/write local files in the
.firecrawl/directory, and perform network operations via the CLI. - Sanitization: No programmatic sanitization is defined; the skill relies on instructional guidance for the agent to treat content as untrusted.
- COMMAND_EXECUTION (LOW): The skill operates by executing shell commands. Improper sanitization of user-provided URLs or search queries could lead to local command injection if the agent does not properly quote arguments as instructed.
Audit Metadata