firecrawl-scrape
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from the web.
- Ingestion points: Content is retrieved from arbitrary external URLs provided during execution via the
firecrawl scrapecommand. - Boundary markers: The skill does not define specific delimiters or instructions to help the agent distinguish between scraped data and its own core instructions.
- Capability inventory: The skill has the ability to execute shell commands and write to the local filesystem using the
Bashtool. - Sanitization: Content is converted to markdown for formatting, but there is no mechanism mentioned to sanitize or filter out potential malicious instructions embedded in the HTML or text of the target pages.
- [COMMAND_EXECUTION]: The skill facilitates the execution of shell commands to interact with the Firecrawl utility.
- Evidence: The YAML frontmatter allows
Bash(firecrawl *)andBash(npx firecrawl *). The instructions provide several examples of executing these commands with various arguments and flags. - [EXTERNAL_DOWNLOADS]: The skill may trigger the download of the Firecrawl package from a public registry.
- Evidence: The use of
npx firecrawlin the allowed tools and examples will attempt to fetch and execute thefirecrawlpackage from the npm registry if it is not already present in the environment.
Audit Metadata