firecrawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and rules/security.md explicitly show the Firecrawl CLI performs web search/scrape/map/crawl/browser commands that fetch arbitrary public web pages (written to .firecrawl/ and then read/processed by the agent) — untrusted third‑party content the agent is expected to interpret and that can drive subsequent browser/agent actions, so it can enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires installing and running the Firecrawl CLI (e.g., npx -y firecrawl-cli / npm install -g firecrawl-cli@1.8.0), which fetches and executes remote code from the package source (https://www.npmjs.com/package/firecrawl-cli and https://github.com/firecrawl/cli), so this external content is fetched at runtime, executes code, and is a required dependency.