firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is highly susceptible to Indirect Prompt Injection because its core function is to ingest untrusted data from external URLs.
- Ingestion points: The tools
firecrawl_scrape,firecrawl_crawl,firecrawl_search, andfirecrawl_extractall ingest external data into the agent's context. - Boundary markers: There are no specified delimiters or boundary markers mentioned in the documentation to help the agent distinguish between scraped content and system instructions.
- Capability inventory: While the skill itself only performs network-based reads via an API, the resulting data is fed to an LLM that may have access to other high-privilege tools (e.g., file writing or command execution).
- Sanitization: No sanitization or filtering logic is described for the content returned by the API, allowing malicious actors to embed hidden instructions in HTML/markdown that the agent might obey.
- EXTERNAL_DOWNLOADS (LOW): The skill's purpose is to fetch data from external sources. While this is a intended behavior, it creates a persistent link to untrusted external domains.
Audit Metadata