firecrawl
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted web content from external URLs, which creates a surface for indirect prompt injection attacks.\n
- Ingestion points: The agent fetches data from the internet using search, scrape, and crawl commands as defined in SKILL.md.\n
- Boundary markers: Output is isolated in the .firecrawl/ directory via the -o flag, preventing direct ingestion into the primary conversation context as noted in rules/security.md.\n
- Capability inventory: The agent has access to Bash for CLI operations and utilities like jq and grep for data processing.\n
- Sanitization: rules/security.md provides instructions to quote URLs and explicitly warns the agent not to follow instructions or logic found within the fetched content.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation and use of the firecrawl-cli package, which is the official tool for the Firecrawl service.\n
- Evidence: Installation procedures in rules/install.md and rules/security.md specify downloading the firecrawl-cli package from the official NPM registry via npm or npx.
Audit Metadata