firecrawl-search
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to run the Firecrawl CLI. This is restricted via
allowed-toolsto only permit commands starting withfirecrawlornpx firecrawl, preventing the execution of arbitrary shell commands. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npx firecrawl, which may download the latest version of the Firecrawl package from the npm registry. As Firecrawl is the official vendor of the skill, this is an expected and legitimate operation for maintaining up-to-date tooling. - [PROMPT_INJECTION]: The skill is a surface for indirect prompt injection because it ingests untrusted content from the web via search results and page scraping.
- Ingestion points: External content enters the agent's context through search results and full-page markdown extracted by the
firecrawl searchcommand. - Boundary markers: None explicitly defined in the skill instructions to separate scraped content from the system instructions.
- Capability inventory: The agent has access to the
Bashtool (restricted to Firecrawl commands) which can read and write to the filesystem. - Sanitization: No explicit sanitization or filtering of the scraped markdown content is performed before it is presented to the agent.
Audit Metadata