firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the global installation of
firecrawl-cli@1.4.1via npm. While npm is a standard registry, this package and its author do not appear on the provided list of trusted organizations, making it an unverifiable dependency. - [PROMPT_INJECTION] (LOW): High surface area for indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via the
scrape,search,crawl,map, andbrowsercommands, which fetch content from arbitrary external URLs. - Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions found within the scraped markdown output.
- Capability inventory: The agent has capabilities to execute shell commands (
firecrawl), perform network requests (via the CLI), and write files to the local directory. - Sanitization: No sanitization or escaping of scraped content is performed before it is presented to the LLM.
- [COMMAND_EXECUTION] (SAFE): The skill relies on shell command execution for its primary purpose. It follows best practices by advising the user to fix npm prefixes instead of using
sudofor installation.
Audit Metadata