firecrawl
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill manages the installation of the
firecrawl-clipackage from the official npm registry and references documentation from the Firecrawl GitHub repository. These are well-known and trusted sources for web scraping infrastructure. - [COMMAND_EXECUTION]: The skill utilizes Bash to execute
firecrawlCLI commands. This includes advanced capabilities like browser automation and remote JavaScript evaluation (eval <js>), which are executed within Firecrawl's managed cloud sandbox rather than on the local host. - [PROMPT_INJECTION]: The skill explicitly identifies the threat of indirect prompt injection from third-party web content. It implements several defensive strategies:
- Ingestion points: Web content is fetched via
search,scrape, andcrawlcommands. - Boundary markers: Output is isolated to local files in the
.firecrawl/directory rather than being directly injected into the LLM's primary context window. - Capability inventory: Access is restricted to specified Bash commands; direct system access is not granted.
- Sanitization: The security rules instruct the agent to use incremental reading (e.g.,
grep,head) and specifically advise ignoring any instructions embedded within the fetched web data.
Audit Metadata