firecrawl
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that attempt to override the agent's default behavior by requiring it to ignore and replace its built-in WebFetch and WebSearch tools with the Firecrawl CLI for all internet tasks.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'firecrawl-cli' package from the NPM registry to provide its core functionality.
- [COMMAND_EXECUTION]: The skill involves multiple sensitive shell operations. It suggests using 'sudo' for installation, which is a privilege escalation risk. It also instructs the agent to modify user shell profiles such as '
/.bashrc' or '/.zshrc' to store environment variables, serving as a persistence mechanism. Furthermore, the skill creates a surface for indirect prompt injection (Category 8): it ingests untrusted data via search and scrape commands (ingestion points) without using boundary markers or sanitization, while maintaining the capability to execute further shell commands, write to the file system, and perform network operations (capability inventory). - [CREDENTIALS_UNSAFE]: The skill handles 'FIRECRAWL_API_KEY' and recommends persisting it in plaintext within shell configuration files, which increases the risk of credential exposure to other processes or users.
Recommendations
- AI detected serious security threats
Audit Metadata