firecrawl-cli
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the
firecrawlbinary via the shell. It also provides examples for using shell utilities such asjq,grep,head,wc, andxargsto process scraped data and manage parallel execution. - [EXTERNAL_DOWNLOADS]: The documentation instructs the user to install the
firecrawl-clipackage globally vianpm install -g firecrawl-cli, which is a standard method for installing this specific utility. - [PROMPT_INJECTION]: The skill facilitates the ingestion of third-party web content, creating a vulnerability to indirect prompt injection where an attacker-controlled website could include instructions aimed at manipulating the agent's behavior.
- Ingestion points: Data is pulled into the agent's context through the
scrape,search, andcrawlsubcommands as described inSKILL.md. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are provided to the agent when reading the generated markdown files.
- Capability inventory: The skill has the ability to execute shell commands, write to the local file system (specifically the
.firecrawl/directory), and perform network requests via the CLI. - Sanitization: The skill relies on Firecrawl's internal processing to return 'clean markdown', but it does not implement its own sanitization to filter out potentially malicious natural language instructions within that content.
Audit Metadata